Yes, a critical remote code execution (RCE) vulnerability has been disclosed in the React framework, specifically affecting React Server Components (RSC) in versions 19.0 through 19.2.0. This flaw, tracked as CVE-2025-55182, carries a maximum CVSS score of 10.0 and allows unauthenticated attackers to execute arbitrary code on vulnerable servers through a crafted HTTP request exploiting insecure deserialization in the RSC “Flight” protocol. Security researchers at Wiz, who analyzed the issue, reported a “near 100% success rate” in their exploitation tests, emphasizing the high reliability and ease of abuse—requiring no authentication or special configuration beyond default setups.
A related downstream vulnerability, CVE-2025-66478, impacts Next.js applications using the App Router (versions 14.0.0 through 15.0.0-rc.0), stemming from the same React issue. Even freshly generated Next.js projects via create-next-app are vulnerable out of the box in production builds. Scans indicate widespread exposure: around 39% of cloud environments run vulnerable React or Next.js instances, with over 571,000 public servers potentially affected based on Shodan data.
Why It’s So Exploitable
• Attack Vector: Attackers send a malicious payload to any RSC Server Function endpoint, which React deserializes unsafely, leading to RCE on the server. This works pre-authentication and can escalate privileges or pivot into networks.
• No User Error Needed: The flaw exists in standard configurations, making it a “default vulnerability” for affected apps.
• Imminent Threat: Experts warn exploitation is “imminent” due to the simplicity— a single HTTP request suffices—and React’s ubiquity in web apps.
The React team acknowledged the issue on December 3, 2025, crediting researcher Lachlan Davidson for the report. Google Cloud and others have deployed interim WAF rules to block exploits, but these are not substitutes for patching.
Immediate Mitigation Steps
1. Upgrade React: Patch to React 19.2.1 or later, where the deserialization flaw is fixed.
2. Upgrade Next.js: Move to Next.js 15.0.0-rc.1 or higher.
3. Verify and Scan: Use tools like npm audit or dependency scanners to check your versions. If hosted on Vercel, their platform mitigations block the attack patterns automatically.
4. Interim Defenses: Implement WAF rules to filter suspicious RSC payloads (e.g., via Cloud Armor) and monitor logs for anomalous requests to Server Function endpoints.
5. Avoid RSC if Possible: For unpatched setups, disable React Server Components temporarily, though this may break functionality.
This vulnerability underscores the risks in server-side rendering frameworks—patch now to avoid compromise. For official guidance, refer to the React security blog or Next.js advisory.