Critical React Framework Vulnerability Enables Remote Code Execution and Supply Chain Risk
A maximum severity vulnerability, tracked as CVE-2025-55182, was discovered and patched in the React JavaScript framework, affecting all versions since 19.0. The flaw, stemming from insecure deserialization in React Server Components payload handling, allows unauthenticated remote code execution, putting millions of web applications and cloud environments at risk. Security researchers highlighted that exploit code is publicly available, and scans indicate that 39% of cloud environments contain vulnerable React instances or use similarly affected versions of Next.js, a related framework. The vulnerability has existed since at least November 2024, and its widespread impact has prompted urgent patching efforts across the industry.
The incident has raised significant concerns about software supply chain security, as React is one of the most widely used front-end frameworks globally, with estimates of 55-87 million websites potentially affected. Cybersecurity experts warn that the increasing complexity and automation in software development, combined with the power of AI, are likely to make such vulnerabilities more frequent and severe. The rapid response from the developer community and security vendors underscores the critical nature of this flaw and the ongoing challenges in securing modern web infrastructure against sophisticated exploitation techniques.
Timeline
Dec 4, 2025
Kensington and Chelsea Social Council confirms historical data breach
The Royal Borough of Kensington and Chelsea Social Council in London confirmed a data breach involving the theft of historical data. The disclosure added another victim case to the roundup of recent cyber incidents.
Dec 4, 2025
FTC begins $15.3 million reimbursement to Avast users
The U.S. Federal Trade Commission moved forward with reimbursing $15.3 million to Avast customers. The payments followed findings that Avast misled users about privacy while selling detailed browsing data.
Dec 4, 2025
Australian IT worker sentenced over airport 'evil twin' Wi-Fi attacks
An Australian IT worker was sentenced for conducting rogue 'evil twin' Wi-Fi attacks at airports. The attacks stole credentials and other private passenger data.
Dec 4, 2025
North Korean actors expand 'Contagious Interview' npm campaign
North Korean threat actors broadened their Contagious Interview software supply chain campaign by distributing additional malicious npm packages. The activity targeted developers and deployed the OtterCookie infostealer.
Dec 4, 2025
Microsoft quietly patches Windows .lnk flaw CVE-2025-9491
Microsoft released a patch for the long-standing Windows shortcut vulnerability CVE-2025-9491. Security experts said the vendor's fix was insufficient compared with third-party mitigations.
Dec 4, 2025
React RCE flaw CVE-2025-55182 discovered in React 19+
A critical remote code execution vulnerability, tracked as CVE-2025-55182, was discovered in the React framework. The flaw affects all versions since React 19 and raised supply chain concerns because of React's broad use across web applications.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Sources
Related Stories
Critical Unauthenticated RCE Vulnerabilities in React Server Components and Next.js
A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182, has been discovered in React Server Components, affecting core React packages (`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`) in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of payloads sent to React Server Function endpoints, allowing attackers to execute arbitrary code on the server without authentication. This vulnerability also impacts frameworks and bundlers that integrate React Server Components, including Next.js (assigned CVE-2025-66478), Vite, Parcel, React Router, RedwoodSDK, and Waku. Even default configurations and newly generated Next.js applications are vulnerable, and exploitation requires only a crafted HTTP request, with no developer error or special setup needed. Immediate patching is strongly advised, as the vulnerability is rated CVSS 10.0 (critical) and has been shown to be highly reliable in exploitation tests. Patched versions are available for React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7), and users are urged to upgrade all affected packages and dependencies. Some hosting providers, such as Vercel, have implemented temporary platform-level mitigations, but these are not a substitute for patching. Security researchers estimate that up to 39% of cloud environments may contain vulnerable instances, underscoring the urgency of remediation across the React and Next.js ecosystem.
1 months ago
React Vulnerabilities Expose Servers to DoS and Source Code Disclosure
React maintainers have released patches addressing two newly discovered vulnerabilities that could allow attackers to crash servers via denial-of-service (DoS) attacks and potentially disclose sensitive source code. These flaws, which follow closely after the React2Shell incident, have raised concerns about the security of applications built with React, especially those exposed to untrusted input or running in server-side environments. The vulnerabilities are tracked as CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, and security researchers urge immediate attention and patching to mitigate exploitation risks. Security experts highlight that the vulnerabilities could be exploited to disrupt services or leak proprietary code, posing significant risks to organizations relying on React for web application development. The issues have been acknowledged by both the React development team and independent security researchers, with proof-of-concept details and technical advisories made available to the public. Organizations are advised to review their deployments and apply the latest security updates to prevent potential attacks leveraging these flaws.
1 months ago
Exploitation of React2Shell Vulnerability by Botnets and Threat Actors
A critical unauthenticated remote code execution (RCE) vulnerability, identified as React2Shell (`CVE-2025-55182`), was disclosed in December 2025, affecting applications built with React Server Components and related frameworks such as Next.js. Public proof-of-concept exploits were released shortly after disclosure, enabling attackers to inject and execute arbitrary code on vulnerable systems. Security researchers and vendors, including Sysdig, responded by publishing detection guidance and threat bulletins, urging organizations to patch affected software, update dependencies, and monitor for signs of compromise. The vulnerability's severity and ease of exploitation have made it a high-priority target for both opportunistic and advanced threat actors. Notably, botnet operators, including those behind the RondoDox botnet, have begun actively targeting the React2Shell flaw to compromise systems at scale. Security advisories recommend immediate patching and enhanced monitoring, as exploitation attempts have increased rapidly following the public release of exploit code. The incident underscores the ongoing risk posed by supply chain and framework vulnerabilities, especially when widely used components are affected and attackers move quickly to weaponize new flaws.
1 months ago