An exceptionally severe security vulnerability in React Server Components allows attackers to execute code remotely without authentication. Developers using React with specific packages and frameworks must update immediately to avoid risks.
Security researchers have discovered an exceptional vulnerability in React. React is an open-source library embedded in numerous online applications. An estimated six percent of all websites worldwide use React, and according to Wiz, 39 percent of all cloud environments are vulnerable.
React has confirmed the vulnerability. The bug lies in how React Server Components process certain requests. The flaw allows attackers to execute their own code on the server without logging in. The vulnerability is known as CVE-2025-55182 and received the highest severity score of 10 out of 10.
The flaw affects React apps using Server Components through packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The vulnerable versions are 19.0, 19.1.0, 19.1.1, and 19.2.0. Even if an app doesn’t use React Server Functions, it may still be vulnerable if Server Components are enabled.
How to respond
React recommends updating to a secure version as soon as possible: 19.0.1, 19.1.2, or 19.2.1. Given both the severity and simplicity of the bug, exploitation by hackers seems almost inevitable in the short term.
Developers using a React framework that supports Server Components, such as Next.js, React Router, Waku, Redwood, or bundlers like Parcel and Vite, are at risk. These projects use or support the affected React packages. Both production systems and development environments may be affected.
React is working with hosting providers on temporary security measures but emphasizes that only an update provides sufficient protection. Separate update instructions are available for each framework and bundler. More information about this can be found here.
Updating can be labor-intensive. Google itself indicates in a blog post how critical the bug is, and urges customers to immediately perform updates for applications in Cloud Run or App Engine, Google Kubernetes Engine, Compute Engine, and Firebase. A new Cloud Armor Web Application Firewall rule should temporarily provide an extra layer of defense. AWS is responding similarly. However, the WAF doesn’t provide permanent protection and serves as a method to buy time to implement necessary updates.
The flaw was discovered on November 29 through Meta’s bug bounty program. On December 3, the vulnerability was made public and the fix was released. More technical details were initially not shared, but code for active exploitation is now publicly available. Apps that use React exclusively on the client, or don’t use Server Components, are not affected.