‘Nasty’ React Vulnerability Affects 39% of Cloud Environments
A CVSS 10 rate critical vulnerability impacts React Server Components in versions 19.0–19.2.0. A patched update has been released.
A major flaw in one of the web’s most widely used frameworks has triggered an urgent security scramble.
A critical vulnerability in React Server Components — CVE-2025-55182 — allows attackers to run unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
The threat is rated a maximum of 10 on the CVSS (Common Vulnerability Scoring System).
This indicates a high-impact vulnerability that requires no authentication or user interaction and can be exploited remotely — granting complete control over the targeted server.
The vulnerable packages are react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in versions 19.0, 19.1.0, 19.1.1, and 19.2.0.
Popular frameworks, including Next.js, React Router, Vite RSC, Parcel RSC, Redwood, and Wak, rely on these packages and must be updated.
However, patched versions with the fixes — 19.0.1, 19.1.2, and 19.2.1 are available. For more details on the vulnerability, users can refer to the React Foundation documentation.
Cybersecurity firm Wiz reports that 39% of cloud environments contain vulnerable instances. Their analysis shows how widespread the exposure is. Next.js appears in 69% of all cloud environments, and 61% of those use it for publicly accessible applications.
In effect, roughly 44% of all cloud environments have publicly exposed Next.js deployments that fall within the vulnerable range.
“Due to the high severity and the ease of exploitation, immediate patching is required.”
Wiz’s experimentation found that exploitation of this vulnerability had high fidelity, “with a near 100% success rate and can be leveraged to full remote code execution.”
Hosting providers like Cloudflare and Vercel implemented emergency mitigations. “This is a very nasty vulnerability,” said Matthew Prince, CEO of Cloudflare, in a post on X.
Regardless of any temporary mitigations deployed by hosting providers, the React Foundation stresses that developers must update to the patched versions immediately.
“Further details of the vulnerability will be provided after the rollout of the fix is complete,” said React Foundation.
