“I don’t usually say this, but it’s OK now,” one researcher wrote. “React CVE listing (CVE-2025-55182) is a perfect 10.”
React version 19.0.1, 19.1.2, or 19.2.1 contains unsafe code. Known third-party components that are affected include:
- white rsc plugin
- Parcel RSC Plugin
- React Router RSC Preview
- redwoodsdk
- Waku
- next.js
According to Vis and fellow security firm Aikido, the vulnerability, tracked as CVE-2025-55182, resides in Flight, a protocol found in React server components. Next.js has assigned the designation CVE-2025-66478 to track the vulnerability in its package.
The vulnerability arises from unsafe deserialization, the coding process of converting strings, byte streams, and other “serialized” formats into objects or data structures in code. Hackers can exploit insecure deserialization by using payloads that execute malicious code on the server. Patched React versions include stricter validation and stricter deserialization behavior.
“When a server receives a specially crafted, malformed payload, it fails to correctly verify the structure,” Vis explained. “This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code.”
The company added:
In our experiment, this vulnerability had high fidelity in exploitation, with a near 100% success rate and can be leveraged for full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. This affects the default configuration of popular frameworks.
Both companies are advising admins and developers to upgrade React and any dependencies on it. Users of any of the remote-enabled frameworks and plugins mentioned above should check with the maintainers for guidance. Aikido also suggests that administrators and developers scan their codebases and repositories for any use of React using this link.
<a href