Critical React Vulnerability Demands Immediate Patching
A severe security vulnerability has been discovered in React, prompting urgent calls for developers to update their systems.This flaw, designated CVE-2025-55182 (and CVE-2025-66478 within Next.js), is considered exceptionally critical, with some security researchers rating it a “perfect 10” in severity. Ignoring this issue could leave yoru applications vulnerable to remote code execution.
what’s the Problem?
The vulnerability resides within Flight, a protocol used in React Server Components. It stems from a dangerous condition known as unsafe deserialization. Essentially, this means your server is improperly handling incoming data, allowing attackers to inject malicious code.
Here’s how it works: when a server receives a specially crafted, malicious request, it fails to properly validate the data’s structure. This allows attackers to manipulate server-side processes and execute privileged JavaScript code. Exploitation is remarkably reliable, with near 100% success rates reported in testing. Furthermore, the attack requires no authentication and can be launched remotely with a simple, crafted HTTP request.
Which Versions Are Affected?
You should instantly check if your projects are using any of the following vulnerable React versions:
* 19.0.1
* 19.1.2
* 19.2.1
Impact Beyond Core react
The issue extends beyond the core react library itself. Several popular third-party components and frameworks are also affected, including:
* Vite RSC plugin
* Parcel RSC plugin
* React Router RSC preview
* RedwoodSDK
* Waku
* Next.js
If you utilize any of these in your projects, you must also investigate and apply necessary updates.
What Do You Need to Do?
The solution is straightforward: update to a patched version of React. Fortunately, updated versions are readily available:
* Upgrade to the latest stable release of React.
* Ensure all dependencies that rely on React are also updated.
* If you’re using Next.js, update to a version that includes the fix for CVE-2025-66478.
Furthermore, it’s crucial to check with the maintainers of any Remote Server Component (RSC)-enabled frameworks or plugins you’re using for specific guidance.
Proactive steps for Enhanced Security
Beyond patching, consider these steps to bolster your security posture:
* Scan Your Codebase: Utilize tools to identify any instances of React within your projects. A helpful resource for this is available