Critical React Server Components vulnerability prompts urgent patching

Researchers and security firms are urging administrators and developers to apply patches immediately for a maximum-severity vulnerability in React Server Components, tracked as CVE-2025-55182. “I usually don’t say this, but patch right freakin’ now,” one researcher wrote. “The React CVE listing (CVE-2025-55182) is a perfect 10.” Wiz and fellow security firm Aikido say the flaw resides in Flight, a protocol used in React Server Components.

The vulnerable code is present in React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. Third-party components known to be affected include Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, Waku, and Next.js, which has assigned CVE-2025-66478 to track the issue in its package.

The companies say the problem stems from unsafe deserialization, where specially crafted payloads can execute malicious code on the server. “When a server receives a specially crafted, malformed payload, it fails to validate the structure correctly,” Wiz explained, adding that exploitation in their testing had near 100% success and can be leveraged to full remote code execution.

The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request and affecting default framework configurations. Patched React releases are 19.0.1+, 19.1.2+, and 19.2.1.

Key Topics

Tech, React, React Server Components, Next.js, Wiz, Aikido