A major flaw in one of the web’s most widely used frameworks has triggered an urgent security scramble.

A critical vulnerability in React Server Components — CVE-2025-55182 — allows attackers to run unauthenticated remote

code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

The threat is rated a maximum of 10 on the CVSS (Common Vulnerability Scoring System).

This indicates a high-impact vulnerability that requires no authentication or user interaction and can be exploited

remotely — granting complete control over the targeted server.

The vulnerable packages are react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack in

versions 19.0, 19.1.0, 19.1.1, and 19.2.0.

Popular frameworks, including Next.js, React Router, Vite RSC, Parcel RSC, Redwood, and Wak, rely on these packages and

must be updated.

However, patched versions with the fixes — 19.0.1, 19.1.2, and 19.2.1 are available. For more details on the

vulnerability, users can refer to the React Foundation documentation.

Cybersecurity firm Wiz reports that 39% of cloud environments contain vulnerable instances. Their analysis shows how

widespread the exposure is. Next.js appears in 69% of all cloud environments, and 61% of those use it for publicly

accessible applications.

In effect, roughly 44% of all cloud environments have publicly exposed Next.js deployments that fall within the

vulnerable range.

“Due to the high severity and the ease of exploitation, immediate patching is required.”

Wiz’s experimentation found that exploitation of this vulnerability had high fidelity, “with a near 100% success rate

and can be leveraged to full remote code execution.”

Hosting providers like Cloudflare and Vercel implemented emergency mitigations. “This is a very nasty vulnerability,”

said Matthew Prince, CEO of Cloudflare, in a post on X.

Regardless of any temporary mitigations deployed by hosting providers, the React Foundation stresses that developers

must update to the patched versions immediately.

“Further details of the vulnerability will be provided after the rollout of the fix is complete,” said React Foundation.