A maximum-severity vulnerability in the React Server components has been disclosed, potentially enabling attackers to run arbitrary code on affected servers with no authentication. The flaw, tracked as CVE-2025-55182, lies in the server-side rendering workflow of React Server Components and can be triggered by a crafted HTTP request. Public exploit code has emerged, heightening the urgency for immediate patches across affected deployments.
React is widely embedded in web apps and cloud environments, with estimates placing its reach at about 6% of all websites and 39% of cloud deployments. When users reload a page, React can re-render only parts that changed, which accelerates delivery and reduces server load—but that same layer can become a vector for compromise when malformed inputs reach the integration point.
Security researchers describe the flaw as an unsafe deserialization pathway that enables remote code execution. In independent testing, security outfit Wiz reported near-100% reliability for exploitation, citing how a single HTTP request can compromise server control. The vulnerability potentially affects a range of frameworks and libraries that ship React implementations by default—including Next.js, Vite and Parcel RSC plugins, React Router RSC previews, RedwoodSDK, Waku, and others.
Reaction from the security community has been swift: maintainers issued patches and urged administrators to update to patched React versions and dependent libraries. The rapid availability of fixes underscores the need for organizations to vet their dependencies and perform comprehensive updates across dependent stacks.
Mitigation steps include upgrading React to the patched version, auditing third-party components for RSC usage, and running vulnerability scanning across cloud and on-premises environments. Administrators should monitor network traffic for anomalous HTTP requests and consult framework maintainers for guidance on securing deployments and verifying that all affected components are updated.
