Intro
On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
CVE & CVSS Score
React is one of the most extensively used web application development technologies and the vulnerability allows for unauthenticated remote code execution (RCE) on the server due to insecure deserialization.
The vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js. It has been assigned CVE-2025–55182 (React) and CVE-2025–66478 (Next.js) BUT this one appears rejected by NIST, however (both) carrying the highest possible CVSS score of 10.0.
That's very bad
The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk. Due to the high severity and the ease of exploitation, immediate patching is required.
According to Wiz:
To maintain ecosystem safety while patches are applied, we are currently withholding specific details; the details provided here are intended solely to assist defenders in prioritizing remediation and understanding the risk. We will be updating this blog with additional information as it comes to light.
The framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances.
Vulnerability Description
An unauthenticated attacker could send a malicious HTTP request to any Server Function endpoint, which, when processed by React, could lead to remote code execution on the server. However, even if a Server Function endpoint isn't implemented, exploitation could still be possible via React Server Components. This flaw could allow attackers to remotely execute arbitrary code, severely compromising the integrity of affected applications.
The vulnerability is in React versions 19.0, 19.1.0, 19.1.1 and 19.2.0 of:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
If you are using the packages mentioned above, upgrade immediately. This vulnerability was fixed in versions 19.0.1, 19.1.2, and 19.2.1. If your application's React code does not use a server, your application is not vulnerable to this vulnerability. Likewise, if your application does not use a framework, bundler, or bundler plugin that supports React Server Components, your application is not affected.
The following React frameworks and bundlers are affected:
- Next
- React Router
- Yours
- @parcel/rsc
- @vitejs/plugin-rsc
- rwsdk
The vulnerability also affects Next.js with App Router (CVE-2025–66478). The vulnerability is present in Next.js versions 14.3.0-canary, 15.x, and 16.x, and is fixed in the following patched versions: 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.
Shodan safari
To identify web applications built with React, the following Shodan query should give a solid starting point:
http.html:"id=\"root\""This is because most React apps are rendered into one main HTML element, like so:
Results:
That's all for now
I'll update this post as soon as more information becomes available, which likely won't take long. Thanks for reading!
Sources
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
- https://nvd.nist.gov/vuln/detail/CVE-2025-55182
And if you're interested in staying up to date on the latest threats and trends, exploited vulnerabilities or exotic blog posts check out ThreatSenze:
Subscribe
To receive the latest developments ✅