Max-severity vulnerability in React, Node.js patched, update ASAP (CVE-2025-55182)
A critical vulnerability (CVE-2025-55182) in React Server Components (RSC) may allow unauthenticated attackers to achieve remote code exection on the application server, the React development team warned on Wednesday.
The maximum-severity vulnerability was privately reported by Lachlan Davidson and has been fixed. At this moment, there are no public reports of it being exploited by attackers and no confirmed public PoC exploits (for now).
Nevertheless, affected users have been advised to upgrade to a non-vulnerable version of React, and of various libraries, frameworks and bundlers depending on it.
About CVE-2025-55182 (and CVE-2025-66478)
React is a free and open-source JavaScript library that allows developers to build fast, interactive user interfaces for web, mobile and desktop apps, single-page applications, and dashboards.
React Server Components (RSC) are a feature that lets parts of React apps run on the server instead of in the browser. RSC were introduced in React v19, in late 2024.
CVE-2025-55182 (also dubbed “React2Shell”) is an unsafe deserialization vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including these packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. It’s been patched in React v19.2.1.
Specific details about the flaw have been witheld for now.
“React Server Functions allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client,” the React Team explained.
“[CVE-2025-55182 may allow] an unauthenticated attacker [to] craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.”
The vulnerability also affects other frameworks and packages that depend on React or include the vulnerable React packages: Next.js, React Router, Waku, Redwood SDK, Expo, Vite, Parcel, and others.
Vercel has assigned another CVE for the vulnerability as it impacts Next.js applications using the App Router – CVE-2025-66478. Next.js releases 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7 include the fix.
Apps that don’t use a server or a framework, bundler, or bundler plugin that supports React Server Components are not affected.
Available mitigations and patches
“Wiz data indicates that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 and/or CVE-2025-66478,” Wiz threat researchers say.
“Regarding Next.js, the framework itself is present in 69% of environments. Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances (regardless of the version running).”
Cloudflare and Google Cloud have implemeted new rules that should protect customers that use its web application firewalls, though they should update to the latest version of React 19.2.1 and Next.js as soon as possible.
The React Team has outlined update instructions for users of React, Node.js, and other vulnerable frameworks.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!