Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
React and Next.js Under Fire: Critical RCE Vulnerability (CVSS 10.0!)
Published: 00:00 12/05/2025
Podatności
React Server Components: "It'll be safe," they said...
If you're a frontend developer (or a full-stack dev pretending to like CSS), I hope you weren't planning a quiet Friday. News has broken about a critical vulnerability in the React ecosystem that is making admins everywhere lose sleep.
We are talking about CVE-2025-55182. What's so scary about it? It received the rarely seen, "prestigious" CVSS score of 10.0. Yes, that is on a ten-point scale. It means it's bad. Very bad.
What's the Issue? (For Techies and Non-Techies)
The problem lies within React Server Components (RSC). In short: the mechanism deserializes data from untrusted sources (i.e., users) without proper verification. If you're thinking "sounds like a classic hole," you're right.
An attacker can send a specially crafted HTTP request which the server accepts, and then – instead of rendering a component – it executes malicious code sent by the hacker. We are talking about full Remote Code Execution (RCE) here. No privileges, login, or user interaction are required. The doors are wide open.
Who Is Affected?
The list is specific and includes the most popular tools:
- React: versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0.
- Next.js: versions 15.x, 16.x, and Canary builds (above 14.3.0-canary.77).
- Packages such as
react-server-dom-parcel,react-server-dom-webpack,react-server-dom-turbopack.
If you are using Next.js version 15 or newer with App Router – you are a target.
What to Do?
Don't panic (unless you haven't started updating yet). The library creators have risen to the occasion.
- Update React to versions: 19.0.1, 19.1.2, or 19.2.1.
- Update Next.js to the latest patches: 15.0.5, 15.1.9, 15.2.6, etc.
Good news for the lazy ones: If you host your app on Vercel, their team has already deployed rules at the WAF level to block attacks. But don't use that as an excuse – update your packages!
Źródła / Sources: React Blog - Critical Security Vulnerability Next.js Security Advisory (GHSA-9qr9-h5gf-34mp)
Aleksander
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Podatności
Echoes of React2Shell: Pandora’s Box Has Been Opened
Thought the CVSS 10.0 patch ended the story? Wrong. When the spotlight hit React Server Components, researchers found more. We analyze the "aftershocks" in the Next.js ecosystem.
18:06 13.12.2025
7 min
Podatności
Cl0p Steals Data Through Oracle Vulnerability – Is Your Company Next in Line?
The Cl0p ransomware group exploited a zero-day in Oracle E-Business Suite (CVE-2025-61882), stealing data from multiple companies in August. Oracle just released a patch, but experts warn: check your systems now, as attacks continue.
06.10.2025
4 min
Podatności
In-Depth Analysis of WhatsApp 0-Day Flaw: How Did the Silent Attack on iPhones Work?
A detailed analysis of the mechanism and discovery of the CVE-2025-55177 vulnerability in WhatsApp. We explain how attackers combined two 0-day flaws to create a powerful "zero-click" spyware tool.
01.10.2025
11 min
Comments
Loading comments...