Experts warn this 'worst case scenario' React vulnerability could soon be exploited - so patch now

• Critical React flaw (CVE-2025-55182) enables pre-auth RCE in React Server Components
• Affects versions 19.0–19.2.0 and frameworks like Next, React Router, Vite; patches released in 19.0.1, 19.1.2, 19.2.1
• Experts warn exploitation is imminent with near 100% success rate; urgent upgrades strongly advised

React is one of the most popular JavaScript libraries, which powers much of today’s internet. Researchers recently discovered a maximum-severity vulnerability. This bug could allow even the low-skilled threat actors to execute malicious code (RCE) on vulnerable instances.

Earlier this week, the React team published a new security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting React Server Components. The versions that are affected include 19.0, 19.1.0, 19.1.1, and 19.2.0, of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

The bug is now tracked as CVE-2025-55182, and was ...