The security community is racing to respond to a newly disclosed, high-severity vulnerability in React that could allow remote attackers to execute arbitrary code without authentication. The flaw, tracked as CVE-2025-55182, affects recent builds of React 19 and has quickly become one of the most serious web application risks of the year.
React—Meta’s widely used JavaScript framework—underpins millions of websites and high-traffic platforms such as Instagram, Airbnb, and Netflix. With more than 55 million weekly NPM downloads, even a narrowly scoped React issue has the potential for broad global impact.
Patch Released for CVSS 10 React Vulnerability
The React maintainers issued security updates on Wednesday, confirming that CVE-2025-55182 received the maximum CVSS severity rating of 10.0. The flaw impacts the following releases:
- 19.0
- 19.1.0
- 19.1.1
- 19.2.0
The issue has been resolved in the patched versions 19.0.1, 19.1.2, and 19.2.1.
The weakness—quickly dubbed React2Shell—was privately reported on November 29 by security researcher Lachlan Davidson. According to the advisory, the problem stems from how React processes payloads sent to React Server Function endpoints. Notably, applications that don’t use Server Functions may still be exposed if they rely on React Server Components (RSC), a relatively new feature in the framework.
Exploit Development Already Underway
Although no active exploitation had been confirmed at the time of disclosure, researchers noted that proof-of-concept code appeared online within a day, and the vulnerability has already been incorporated into automated scanning tools. Cloud security company Wiz reported that the flaw affects default settings in several RSC-related tools and can be triggered through specially crafted HTTP requests.
Wiz’s telemetry shows that nearly 40% of cloud environments contain React installations vulnerable to React2Shell.
A number of related ecosystems may also be at risk, including:
- Next.js
- React Router RSC
- Vite RSC plugin
- Parcel RSC plugin
- RedwoodSDK
- Waku
Next.js maintainers attempted to assign their own CVE (CVE-2025-66478), but it was rejected as a duplicate of the React identifier.
Security Experts Split on Severity
Many cybersecurity researchers expect active threat campaigns to emerge quickly. Justin Moore of Palo Alto Networks’ Unit 42 described React2Shell as a “master key” flaw that abuses trusted data structures rather than exploiting crashes or memory bugs. Unit 42 estimates that more than 968,000 internet-facing servers run frameworks that could be susceptible.
Moore warned that the reliability of the exploit makes widespread attacks a matter of “when, not if.”
Not all experts agree on the level of urgency. Well-known researcher Kevin Beaumont attempted to temper industry concerns, noting that the vulnerability only impacts React 19 applications that explicitly use React Server, which he characterized as a relatively new and limited-adoption feature.
Major Cloud Providers Deploy Emergency Mitigations
Cloud and security vendors moved swiftly to protect customers:
- Google Cloud implemented new web application firewall rules to block expected exploit patterns.
- AWS deployed updated WAF signatures and confirmed that its managed hosting services are not affected.
- Cloudflare automatically pushed network-wide protections for all customers using its WAF-proxied infrastructure.
- Netlify has already applied the patched React versions across its platform.
- F5 is reviewing its product line but has not found any vulnerable components.
Additional companies assisting with detection and monitoring include Akamai, Orca Security, Tenable, Aikido, and Miggo.
In a late update, AWS reported observing Chinese threat actors attempting to exploit the vulnerability in the wild, suggesting that active attacks may be underway sooner than many anticipated.
