Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 4 December 2025 11:29
Developers and administrators around the world are urgently updating their servers following the discovery of a critical vulnerability in React Server, which allows attackers to remotely execute unauthenticated code with a single HTTP request. The exploit is now publicly available , and the issue has received the highest severity rating, 10 out of 10, on CVSS.
React is actively used on servers to accelerate JavaScript and content rendering: instead of completely reloading the page with each request, it only redraws the modified parts of the interface. This significantly saves resources and improves application performance. React is estimated to be used by approximately 6% of all websites and approximately 39% of cloud environments, so the vulnerability affects a large portion of the infrastructure.
Wiz specialists report that exploitation requires only a single specially crafted HTTP request, and their tests have shown a “nearly 100%” success rate . An additional risk is that many popular frameworks and libraries integrate React Server by default. As a result, even applications that don’t directly use React functionality, but whose integration layer still calls upon vulnerable code, may be vulnerable.
It’s the combination of React’s widespread adoption, ease of exploitation, and the potential for complete server takeover that has led to its highest severity rating. On social media, security experts and developers are urging developers to update immediately. “I don’t usually say this, but fix this now, dammit ,” writes one expert, noting that the React vulnerability, CVE-2025-55182, is a “perfect 10.”
React versions 19.0.1, 19.1.2, and 19.2.1 are affected. Third-party components that use React Server Components are also vulnerable: the Vite RSC and Parcel RSC plugins, the pre-release version of React Router RSC, RedwoodSDK, Waku, and Next.js. The vulnerability for Next.js is tracked separately with the identifier CVE-2025-66478.
According to Wiz and Aikido, the issue stems from insecure deserialization in Flight, the protocol used in React’s server components. Deserialization is the process of converting strings, byte streams, and other “serialized” data into objects and structures in memory. If this process is implemented incorrectly, an attacker could inject specially crafted data that would alter the execution logic of server-side code.
React developers have already released updates that strengthen incoming data validation and make deserialization behavior more effective to prevent such attacks.
Wiz and Aikido strongly recommend that administrators and developers update React and all dependencies that use it as soon as possible and carefully follow the recommendations of the framework and plugin maintainers mentioned above. Aikido also recommends searching for information about React usage in the project’s source code and repositories and ensuring that all potentially vulnerable components are patched.
Redazione