MAX SEVERITY: Critical Flaw in React Server Allows Unauthenticated RCE
Developers and administrators worldwide are scrambling to update their servers after the disclosure of a critical vulnerability in React Server — a flaw that enables unauthenticated remote code execution through a single crafted HTTP request. A public exploit is already available, and the issue has been assigned the maximum severity score: a perfect 10.0 on the CVSS scale.
React is widely deployed on servers to accelerate the delivery of JavaScript and other content: instead of reloading an entire page, it re-renders only the portions of the interface that have changed. This dramatically reduces overhead and improves application performance. Estimates suggest that React powers roughly 6% of all websites and nearly 39% of cloud environments, meaning the vulnerability affects an enormous swath of global infrastructure.
Researchers at Wiz report that exploitation requires only a single maliciously structured HTTP request, achieving “almost 100% reliability” in their tests. The danger is magnified by the fact that many popular frameworks and libraries embed React Server by default. As a result, even applications that do not explicitly use React’s server-side functionality may still be vulnerable if an integration layer invokes the affected code.
It is this combination — React’s vast ubiquity, the triviality of exploitation, and the potential for total server compromise — that justified the maximum criticality rating. Across social networks, security professionals and developers are urging immediate action. “I don’t say this often, but patch right now, for God’s sake,” wrote one specialist, calling CVE-2025-55182 “a perfect ten.”
The affected versions include React 19.0.1, 19.1.2, and 19.2.1. Third-party components built atop React Server Components are also vulnerable: Vite RSC and Parcel RSC plugins, the prerelease of React Router RSC, RedwoodSDK, Waku, and Next.js — the latter tracked separately as CVE-2025-66478.
According to Wiz and Aikido, the flaw stems from unsafe deserialization inside Flight, the protocol underpinning React Server Components. Deserialization is the process of turning serialized data — strings, byte streams, and similar structures — back into in-memory objects. When implemented improperly, an attacker can craft inputs that subtly alter server-side execution flow.
“When the server receives a malformed, attacker-crafted payload, it fails to correctly validate its structure,” Wiz explains. “This allows attacker-controlled data to influence server-side logic and ultimately results in privileged JavaScript execution.” Their experiments demonstrated consistent exploitation, with near-perfect success rates and full remote code execution — no authentication required, and effective even against default configurations in widely used frameworks.
React’s developers have already released patches that strengthen input validation and tighten deserialization behavior, closing the attack vector.
Wiz and Aikido strongly urge administrators and engineers to update React and all dependent components without delay, and to follow the guidance issued by the maintainers of the affected frameworks and plugins. Aikido additionally recommends scanning codebases and repositories to identify where React is used, ensuring every potentially vulnerable component receives the necessary fixes.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
