“I normally don’t say this, however patch proper freakin’ now,” one researcher wrote. “The React CVE itemizing (CVE-2025-55182) is an ideal 10.”
React variations 19.0.1, 19.1.2, or 19.2.1 comprise the weak code. Third-party elements recognized to be affected embody:
- Vite RSC plugin
- Parcel RSC plugin
- React Router RSC preview
- RedwoodSDK
- Waku
- Subsequent.js
In response to Wiz and fellow safety agency Aikido, the vulnerability, tracked as CVE-2025-55182, resides in Flight, a protocol discovered within the React Server Parts. Subsequent.js has assigned the designation CVE-2025-66478 to trace the vulnerability in its bundle.
The vulnerability stems from unsafe deserialization, the coding technique of changing strings, byte streams, and different “serialized” codecs into objects or information constructions in code. Hackers can exploit the insecure deserialization utilizing payloads that execute malicious code on the server. Patched React variations embody stricter validation and hardened deserialization conduct.
“When a server receives a specifically crafted, malformed payload, it fails to validate the construction accurately,” Wiz defined. “This permits attacker-controlled information to affect server-side execution logic, ensuing within the execution of privileged JavaScript code.”
The corporate added:
In our experimentation, exploitation of this vulnerability had excessive constancy, with a close to 100% success fee and might be leveraged to a full distant code execution. The assault vector is unauthenticated and distant, requiring solely a specifically crafted HTTP request to the goal server. It impacts the default configuration of common frameworks.
Each firms are advising admins and builders to improve React and any dependencies that depend on it. Customers of any of the Distant-enabled frameworks and plugins talked about above ought to test with the maintainers for steerage. Aikido additionally suggests admins and builders scan their codebases and repositories for any use of React utilizing this hyperlink.
