Critical React Flaw Triggers Calls for Immediate Action
Summary
A maximum-severity vulnerability in React was disclosed that can lead to remote code execution (RCE) via unsafe deserialization in the React Server Components (RCS) protocol and impact downstream frameworks such as Next.js. Two CVEs were issued (CVE-2025-55182 and CVE-2025-66478), both scored CVSS 10. Researchers at Wiz reported near-100% exploitation success in default configurations and urged immediate remediation. Cloud providers and vendors have applied temporary mitigations, but React maintainers and security teams advise updating to patched versions without delay.
Key Points
- Two CVEs—CVE-2025-55182 (React Server Components) and CVE-2025-66478 (Next.js impact)—both carry CVSS scores of 10.
- The flaw is unsafe deserialization allowing unauthenticated, remote RCE via specially crafted HTTP requests.
- Wiz research indicates ~39% of cloud environments are vulnerable; exploitation had very high fidelity in tests.
- Cloudflare implemented WAF rules to block exploits for proxied traffic, but recommends customers still update React.
- React maintainers worked with hosting providers to apply temporary mitigations, but these are not a substitute for patching.
- Organisations should upgrade to React 19.0.1, 19.1.2 or 19.2.1 and to the listed patched Next.js versions immediately.
Content summary
The vulnerability was discovered by researcher Lachlan Davidson and reported through Meta’s bug bounty programme. React maintainers and Meta coordinated a rapid fix; Wiz published details showing how trivial exploitation is in default setups. The attack requires only a crafted HTTP request and can be executed remotely without authentication, potentially allowing attackers to run arbitrary code on affected servers. Because React and Next.js are widely deployed across cloud environments, the impact is broad.
Cloud vendors and security vendors have rushed mitigations—Cloudflare deployed WAF rules before public disclosure and Wiz supplied detection queries—but all parties stress that temporary protections should not replace updating to the patched library and framework releases.
Context and relevance
This is a supply-chain and runtime risk that affects many modern web apps using server-side React features. RCE in a ubiquitous UI library magnifies the threat: attackers could pivot from exploited app servers to broader cloud workloads, data stores, or CI/CD pipelines. It ties into larger trends around securing server-side components, faster coordinated disclosure, and the need for rapid patch management and detection orchestration in cloud environments.
Why should I read this?
Look, this one’s urgent. If you run server-side React or Next.js anywhere in your stack, don’t wait — check, patch and verify now. Temporary WAF rules help, but they’re not a forever fix. We’ve boiled down the technical bits and the exact versions you need so you can act fast and avoid getting bitten.