US Edition'Exploitation Is Imminent' of Max-Severity React Bug
Meta and React team patched a critical deserialization flaw enabling unauthenticated remote code execution affecting 39% of cloud environments, with multiple frameworks impacted.
- On Wednesday, the React team disclosed CVE-2025-55182, a maximum-severity unauthenticated remote code execution flaw in React Server Components.
- Developer Lachlan Davidson, lead of security innovation at Carapace, discovered and reported a deserialization defect to Meta on Saturday affecting Server Function endpoints.
- Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, React-server-dom-turbopack; maintainers recommend upgrading to 19.0.1, 19.1.2, and 19.2.1.
- Researchers warned no attacks have been observed yet but expect exploitation soon and Meta privately notified hosting providers and cloud operators, sharing web application firewall rules as temporary mitigation.
- Security firms warned that downstream frameworks face long-tail impacts, while Vercel assigned CVE-2025-66478 and issued a patch alongside Meta's emergency patch rollout.
10 Articles
10 Articles
Developers scramble as critical React flaw threatens major apps
Security researchers and code developers are scrambling to patch and investigate a critical vulnerability affecting React Server Components, an open-source library used widely across the internet and embedded into many essential software frameworks. The rapid response underscores the potential consequences of exploitation. Although no attacks have been observed or reported, researchers expect them soon and are urgently mobilizing resources to ad…
Critical React And Next.js Enables Remote Attackers To Execute Malicious Code - Cybernoz - Cybersecurity News
A critical security flaw in React and Next.js could let remote attackers run malicious code on servers without logging in. The issue affects React Server Components (RSC) and the “Flight” protocol used to send data between the browser and the server. The vulnerabilities are tracked as CVE-2025-55182 for React and CVE-2025-66478 for Next.js. They are rated at the highest severity level and allow unauthenticated remote code execution. How the Vuln…
‘Nasty’ React Vulnerability Affects 39% of Cloud Environments
A major flaw in one of the web’s most widely used frameworks has triggered an urgent security scramble. A critical vulnerability in React Server Components — CVE-2025-55182 — allows attackers to run unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. The threat is rated a maximum of 10 on the CVSS (Common Vulnerability Scoring System). This indicates a high-impact v…
Okay, now I need to summarize the content of an article for the user, keeping it under 100 words. First, I need to carefully read the article and understand the main information. The article discusses a high-risk security vulnerability in React and Next.js, an unverified remote code execution vulnerability. Attackers can trigger the vulnerability with a high success rate simply by crafting a specific HTTP request. The vulnerability numbers are …
The Hacker News
IT Security News - cybersecurity, infosecurity newsCritical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution
Critical RSC flaws in React and Next.js enable unauthenticated remote code execution; users should update to patched versions now.
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
