‘Exploitation is imminent’ as 39 percent of cloud environs have max-severity React hole
Summary
A maximum-severity remote code execution (RCE) flaw has been disclosed in React Server Components (CVE-2025-55182) and affects several React server packages and frameworks, including Next.js (CVE-2025-66478). The React team published an emergency advisory and released patches that fix the issue; maintainers urge immediate upgrades. Security researchers warn the flaw is easy to abuse and that mass exploitation is likely soon.
The bug impacts react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (affected versions: 19.0, 19.1.0, 19.1.1 and 19.2.0) and default configurations of frameworks and bundlers such as Next.js, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc and rwsdk. Upgrading to React versions 19.0.1, 19.1.2 or 19.2.1 patches the vulnerability.
Key Points
- CVE-2025-55182 (React Server Components) is rated CVSS 10.0 — maximum severity.
- An unauthenticated attacker can craft malicious requests to Server Function endpoints to achieve remote code execution on vulnerable servers.
- Affected packages include react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack and default setups of Next.js and several bundlers.
- React maintainers released fixes (upgrade to 19.0.1, 19.1.2 or 19.2.1) and recommend immediate patching.
- Wiz reports ~39% of cloud environments contain vulnerable instances of Next.js or React — a large attack surface.
- Vercel assigned CVE-2025-66478 for Next.js and also pushed an alert and patch.
- Tests reported near-100% exploitation fidelity; researchers expect exploit code and scans to appear rapidly.
- Cloudflare says its WAF may protect proxied traffic — customers should verify their coverage rather than assume protection.
Context and relevance
React underpins a huge portion of modern web applications (companies like Meta, Netflix, Airbnb, Shopify and many others), and many frameworks and bundlers depend on React server packages. That makes this RCE particularly dangerous: it is a high-impact supply-chain style issue that can give attackers full server control if left unpatched. The combination of an easy exploit path, public patches and a large vulnerable population makes rapid remediation essential for organisations running React/Next.js in production.
Why should I read this?
Short answer: if you run React or Next.js, stop what you’re doing and check your versions. This is one of those ‘patch now or regret it later’ stories — we’ve read the details so you don’t have to spend ages digging. Follow the upgrade advice and verify your Server Function endpoints are not exposed.
Author’s take
Punchy and plain: this is urgent. The vulnerability is trivial to weaponise, affects a huge slice of the cloud, and patches are already public. Treat it as top priority on your patch list — defenders who delay will likely be chasing intrusions soon.