“I often don’t say this, however patch proper freakin’ now,” one researcher wrote. “The React CVE itemizing (CVE-2025-55182) is an ideal 10.”
React variations 19.0.1, 19.1.2, or 19.2.1 include the susceptible code. Third-party parts recognized to be affected embody:
- Vite RSC plugin
- Parcel RSC plugin
- React Router RSC preview
- RedwoodSDK
- Waku
- Subsequent.js
In response to Wiz and fellow safety agency Aikido, the vulnerability, tracked as CVE-2025-55182, resides in Flight, a protocol discovered within the React Server Parts. Subsequent.js has assigned the designation CVE-2025-66478 to trace the vulnerability in its bundle.
The vulnerability stems from unsafe deserialization, the coding means of changing strings, byte streams, and different “serialized” codecs into objects or knowledge buildings in code. Hackers can exploit the insecure deserialization utilizing payloads that execute malicious code on the server. Patched React variations embody stricter validation and hardened deserialization conduct.
“When a server receives a specifically crafted, malformed payload, it fails to validate the construction accurately,” Wiz defined. “This permits attacker-controlled knowledge to affect server-side execution logic, ensuing within the execution of privileged JavaScript code.”
The corporate added:
In our experimentation, exploitation of this vulnerability had excessive constancy, with a close to 100% success price and will be leveraged to a full distant code execution. The assault vector is unauthenticated and distant, requiring solely a specifically crafted HTTP request to the goal server. It impacts the default configuration of well-liked frameworks.
Each corporations are advising admins and builders to improve React and any dependencies that depend on it. Customers of any of the Distant-enabled frameworks and plugins talked about above ought to verify with the maintainers for steering. Aikido additionally suggests admins and builders scan their codebases and repositories for any use of React with this hyperlink.
