Critical React & Node.js Flaw Patched: Update Now (CVE-2025-55182)
▼ Summary
– A critical vulnerability (CVE-2025-55182) in React Server Components allows unauthenticated attackers to achieve remote code execution on the server via a malicious HTTP request.
– The vulnerability affects React versions 19.0.0 through 19.2.0 and has been patched in React v19.2.1, with no current public reports of exploitation.
– It also impacts numerous dependent frameworks and libraries like Next.js (assigned CVE-2025-66478), which have released fixed versions.
– Data indicates a significant portion of cloud environments contain vulnerable instances, with many being publicly exposed.
– Users are urged to update immediately, and some cloud providers have implemented temporary WAF protections while updates are applied.
A critical security vulnerability has been identified within React Server Components, posing a significant risk of remote code execution on application servers. The flaw, tracked as CVE-2025-55182, affects React versions 19.0.0 through 19.2.0 and has been addressed in the latest patch, version 19.2.1. Developers are urged to update immediately to protect their applications from potential exploitation by unauthenticated attackers.
This maximum-severity issue, privately reported by researcher Lachlan Davidson, involves an unsafe deserialization weakness in the React Server Components architecture. While no active exploits have been publicly documented, the potential impact is severe. The vulnerability resides in specific packages including `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`. Attackers could craft a malicious HTTP request to any Server Function endpoint. When processed by a vulnerable React server, this request could lead to full remote code execution.
The React development team has emphasized that even applications not explicitly implementing React Server Function endpoints may still be at risk if they support React Server Components. This broadens the potential attack surface considerably. The technical specifics of the flaw are currently being withheld to prevent weaponization while the community applies patches.
The vulnerability’s reach extends far beyond the core React library. Numerous popular frameworks and tools that depend on React or incorporate the vulnerable packages are also affected. This includes Next.js, React Router, Waku, the Redwood SDK, Expo, Vite, and Parcel. For Next.js applications utilizing the App Router, the issue has been assigned a separate identifier, CVE-2025-66478. Patched versions are available, such as Next.js releases 15.0.5, 15.1.9, and 16.0.7.
Recent data from threat researchers at Wiz highlights the widespread nature of the exposure. Their analysis indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to these CVEs. Furthermore, a substantial 44% of all cloud environments have publicly exposed Next.js instances, regardless of the version running, underscoring the urgency for remediation.
Major cloud providers have begun implementing defensive measures. Both Cloudflare and Google Cloud have rolled out new web application firewall rules designed to help protect customers. However, these network-level controls are not a substitute for applying the official software updates. The definitive solution is to upgrade all affected components.
The React Team has provided detailed update instructions for users of React, Node.js, and the various impacted frameworks. Applications that do not use a server, or any framework or bundler plugin supporting React Server Components, are not vulnerable. For all others, applying the available patches is the only way to fully close this critical security gap.
(Source: HelpNet Security)
