Medium
medium.com › @jitendrakhilar609 › react-19-vulnerability-explained-8333eeee1961
React 19 Vulnerability Explained. Recently, a critical security… | by Jitendra Khilar | Medium
December 7, 2025 - React 19’s Server Components vulnerability was serious, but most apps are safe if you’re on React 18 or Next.js 13/14. Teams using Next.js 15 + App Router + RSC must upgrade to the patched versions immediately.
OX Security
ox.security › blog › react-cve-2025-55184-67779-55183-react-19-vulnerabilities
React Vulnerabilities Strike Again: Denial Of Service & Information Leakage in Patched Versions of React2Shell - OX Security
December 12, 2025 - This post by OX Research team was ... Server Components (RSC) affecting React versions 19.0.0 through 19.2.2. CVE-2025-55184 and CVE-2025-67779 enable denial of service attacks, while CVE-2025-55183 exposes backend source ...
React 19 RCE vulnerability - can we stop pretending modern frameworks are automatically more secure?
Sir, this is a Wendy’s. More on reddit.com
12
0
January 27, 2026Critical Vulnerabilities in React and Next.js: everything you need to know - A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js
Feels like having all the behind the scenes magic and hidden endpoints isn't the best approach to build robust solutions. Devs should define all open endpoints and expose them as part of routing configuration. More on reddit.com
82
236
December 3, 2025Two New React 19 Vulnerabilities - two important vulnerabilities in React, Next.js, and other frameworks that require immediate action (neither of these new issues allow for Remote Code Execution)
bruh More on reddit.com
22
62
December 12, 2025Videos
07:31
React’s Worst Vulnerability Ever (RCE Exploit Explained) - YouTube
08:44
React HACKED - Initial review and incident summary - YouTube
11:14
Next.js & React vulnerability will break the internet - YouTube
10:02
React Got Hacked Again (this is bad) - YouTube
03:57
React.js shell shocked by 10.0 critical vulnerability… - YouTube
12:22
Everyone's Talking About This React Exploit - YouTube
React
react.dev › blog › 2025 › 12 › 11 › denial-of-service-and-source-code-exposure-in-react-server-components
Denial of Service and Source Code Exposure in React Server Components – React
This left previous versions vulnerable. Versions 19.0.4, 19.1.5, 19.2.4 are safe.
React
react.dev › blog › 2025 › 12 › 03 › critical-security-vulnerability-in-react-server-components
Critical Security Vulnerability in React Server Components – React
A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately. If your app’s React code does not use a server, your app is not affected by this vulnerability.
Reddit
reddit.com › r/reactjs › react 19 rce vulnerability - can we stop pretending modern frameworks are automatically more secure?
r/reactjs on Reddit: React 19 RCE vulnerability - can we stop pretending modern frameworks are automatically more secure?
January 27, 2026 -
The React 19 RCE bug from December (CVE-2025-66478) is a good reminder that no framework is magically secure.
I keep seeing people say WordPress is insecure and moving to Next/React solves security problems. But like... React Server Components just had a critical remote code execution vulnerability. WordPress core is actually pretty solid, most security issues are from old plugins or bad hosting.
Security comes from keeping stuff updated, decent infrastructure, not installing random plugins/packages, and actually knowing what you're deploying. That's it.
The "WordPress bad, modern frameworks secure" thing is getting old when they all have vulnerabilities.
Curious if anyone else has clients who think switching stacks = better security? That conversation is always fun.
Top answer 1 of 5
14
Sir, this is a Wendy’s.
2 of 5
4
Frustratingly, if I understand the vulnerability, it should have been solved by something approaching a common ESLint rule about using `hasOwnProperty()` or `Object.hasOwn()` when building their custom stream token handler? Or using `Object.create(null)` for the storage object. Basically, critical functionality didn't cover common prototype vulnerabilities, likely because people just don't know them anymore.
Vercel
vercel.com › changelog › cve-2025-55182
Summary of CVE-2025-55182 - Vercel
A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478).
Berkeley Security
security.berkeley.edu › news › critical-vulnerabilities-react-and-nextjs
Critical Vulnerabilities in React and Next.js | Information Security Office
A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, a core feature of the modern React 19 ecosystem.
Wiz
wiz.io › blog › critical-vulnerability-in-react-cve-2025-55182
React2Shell (CVE-2025-55182): Critical React Vulnerability | Wiz Blog
December 3, 2025 - A critical vulnerability has been ... most notably Next.js. Assigned CVE-2025-55182, this flaw allows for unauthenticated remote code execution (RCE) on the server due to insecure deserialization....
Reddit
reddit.com › r/reactjs › critical vulnerabilities in react and next.js: everything you need to know - a critical vulnerability has been identified in the react server components (rsc) "flight" protocol, affecting the react 19 ecosystem and frameworks that implement it, most notably next.js
r/reactjs on Reddit: Critical Vulnerabilities in React and Next.js: everything you need to know - A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement it, most notably Next.js
December 3, 2025 - - React 19 and the versions of Next.js built on top of it (15 & 16) have a critical security vulnerability in the React Server Components (RSC) “Flight” protocol.
Palo Alto Networks
unit42.paloaltonetworks.com › cve-2025-55182-react-and-cve-2025-66478-next
Exploitation of Critical Vulnerability in React Server Components (Updated December 12)
December 12, 2025 - CVE-2025-55182 impacts the React 19 ecosystem and frameworks that implement it.
Expo
expo.dev › changelog › mitigating-critical-security-vulnerability-in-react-server-components
[Updated] Mitigating Multiple Security Vulnerabilities in React Server Components - Expo Changelog
December 5, 2025 - Expo projects can be vulnerable through a dependency on react-server-dom-webpack 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1.
GitHub
github.com › facebook › react › security › advisories › GHSA-fv66-9v8q-g76r
Critical Security Vulnerability in React Server Components
December 3, 2025 - ### Impact There is an unauthenticated remote code execution vulnerability in React Server Components. We recommend upgrading immediately. The vulnerability is present in versions 19.0, 19...
GitHub
github.com › facebook › react › security › advisories › GHSA-83fc-fqcc-2hmg
Denial of Service Vulnerabilities in React Server Components
January 26, 2026 - 19.0.0, 19.0.1, 19.0.2, 19.0.3, 19.1.0, 19.1.1, 19.1.2, 19.1.3, 19.1.4, 19.2.0, 19.2.1, 19.2.2, 19.2.3 ... It was found that the fixes to address DoS in React Server Components were incomplete and we found multiple denial of service vulnerabilities ...
Reddit
reddit.com › r/javascript › two new react 19 vulnerabilities - two important vulnerabilities in react, next.js, and other frameworks that require immediate action (neither of these new issues allow for remote code execution)
r/javascript on Reddit: Two New React 19 Vulnerabilities - two important vulnerabilities in React, Next.js, and other frameworks that require immediate action (neither of these new issues allow for Remote Code Execution)
December 12, 2025 - ... Critical Vulnerabilities in React and Next.js: everything you need to know - A critical vulnerability has been identified in the React Server Components (RSC) "Flight" protocol, affecting the React 19 ecosystem and frameworks that implement ...
Trend Micro
trendmicro.com › en_us › research › 25 › l › critical-react-server-components-vulnerability.html
Critical React Server Components Vulnerability CVE-2025-55182: What Security Teams Need to Know | Trend Micro (US)
December 5, 2025 - Organizations using React.js 19.x or Next.js 15.x/16.x should patch immediately.
Microsoft
microsoft.com › home › defending against the cve-2025-55182 (react2shell) vulnerability in react server components
Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components | Microsoft Security Blog
January 30, 2026 - When a client requests data, the ... component tree. The vulnerability exists because affected React Server Components versions fail to validate incoming payloads....
Sonatype
sonatype.com › blog › three-new-react-vulnerabilities-surface
React Vulnerabilities: Risks and Mitigation | Sonatype
December 12, 2025 - Identify all services (not just front-end apps) that depend on React 19 and RSC-capable frameworks.
The Hacker News
thehackernews.com › home › new react rsc vulnerabilities enable dos and source code exposure
New React RSC Vulnerabilities Enable DoS and Source Code Exposure
December 12, 2025 - React patches three RSC bugs causing DoS and code exposure, urging updates to fixed 19.x releases.
Vercel
vercel.com › kb › bulletin › security-bulletin-cve-2025-55184-and-cve-2025-55183
Security Bulletin: CVE-2025-55184 and CVE-2025-55183 | Vercel Knowledge Base
Following the React2Shell disclosure, ... vulnerabilities that require patching: a high-severity Denial of Service (CVE-2025-55184) and a medium-severity Source Code Exposure (CVE-2025-55183)....
Payload
payloadcms.com › posts › blog › critical-security-notice-affecting-react-19-and-nextjs
Critical Security Notice Affecting React 19 and Next.js
December 4, 2025 - A critical vulnerability has been disclosed in React Server Components (CVE-2025-55182), impacting React 19 and frameworks built on top of it, including Next.js (CVE-2025-66478).