Vulnerability Management, Patch/Configuration Management

Maximum severity React vulnerability threatens extensive compromise

Thirty-nine percent of cloud environments were noted by Wiz to have instances of the JavaScript library React and React-based frameworks, such as Next.js, that are vulnerable to the maximum severity unauthenticated remote code execution flaw, tracked as CVE-2025-55182, which could be subjected to widespread exploitation soon, reports The Register.

Immediate remediation of the security weakness has been urged by both the React team and Next.js lead maintainer Vercel, which tracks the issue as CVE-2025-66478, as it could be easily harnessed in cyberattacks. Illicit HTTP requests made to Server Function endpoints could allow RCE on the server upon deserialization by React, said Vercel in an alert.

"CVE-2025-55182 represents a major risk to users of one of the world's most widely used web application frameworks. Exploitation requires few prerequisites [and] there should be no doubt that in-the-wild exploitation is imminent as soon as attackers begin analyzing now-public patches," said watchTowr founder and CEO Benjamin Harris.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds