I fought over this issue for a few hours yesterday and this morning and found this thread which seems to be the cause:
https://github.com/facebook/create-react-app/issues/10411
As well as this proposed fix:
https://github.com/facebook/create-react-app/pull/10412
It looks like it's a dependency issue with immer, react-scripts, and react-dev-tools. They say they will try and push out an update this weekend so I would look forward to that sooner than later.
Answer from Ilya Minarov on Stack OverflowLoginRadius
loginradius.com › home
React Security Vulnerabilities and How to Fix/Prevent Them
December 24, 2021 - As the React features are increasing, there is an equal delay in the number of days taken by the React community to fix any React security issues. In this article, we discussed the most well-known vulnerabilities like SQLi, XSS, Broken Authentication, XXE, Zip Slip, CSRF, and Package & dependency vulnerabilities, plus how to prevent React apps from such attacks.
React
react.dev › blog › 2025 › 12 › 03 › critical-security-vulnerability-in-react-server-components
Critical Security Vulnerability in React Server Components – React
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: ... A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1.
What are React security issues?
Dangerous URL schemes, broken authentication, and server-side rendering are the main React security issues. Additionally, cross-site scripting (XSS) and cross-site request forgery (CSRF) are also concerns that developers need to be mindful of. It’s crucial for developers to be aware of these vulnerabilities and employ best practices and necessary safeguards to secure their applications against these threats.
relevant.software
relevant.software › blog › react-js-security-guide
React.js Security Best Practices in 2024: React Security
Is React safe against XSS?
React is relatively safe against XSS as it escapes all variable content by default; however, there are some easy tactics to further safeguard your app against this vulnerability. For example, diligently rendering data through JSX, using data sanitizing libraries, and validating user input can significantly enhance protection. Being aware of potential risks and implementing preventive measures are key to maintaining a secure React application against XSS attacks.
relevant.software
relevant.software › blog › react-js-security-guide
React.js Security Best Practices in 2024: React Security
Is React.js secure?
While there is no technology that is 100% secure, React.js is known for having fewer security issues compared to other JS tools. It has been developed and maintained by experts, with regular updates and patches to address any emerging vulnerabilities. There are also numerous tricks and tips available for developers to create a more secure codebase and protect an app from common React.js vulnerabilities in advance. Additionally, by leveraging the vast community around React.js, developers can stay informed and proactive about securing their applications.
relevant.software
relevant.software › blog › react-js-security-guide
React.js Security Best Practices in 2024: React Security
Videos
10:02
React Got Hacked Again (this is bad) - YouTube
03:57
React.js shell shocked by 10.0 critical vulnerability… - YouTube
12:22
Everyone's Talking About This React Exploit - YouTube
21:07
React's critical vulnerability is WILD
05:57
Fix NPM Vulnerabilities with NPM Overrides - Secure NOW! - YouTube
11:56
fix npm vulnerabilities - YouTube
GitHub
github.com › facebook › create-react-app › issues › 11174
Help, `npm audit` says I have a vulnerability in react-scripts! · Issue #11174 · facebook/create-react-app
July 2, 2021 - Despite literally a hundred issues with thousands of comments about npm audit warnings in react-scripts, throughout the years not a single one of them (to the best of our knowledge) has ever been a real vulnerability for CRA users. This is a huge waste of everyone's time. Mostly of yours, but of ours too. Yes, unfortunately that's how npm works since v6. You can bring it up with npm. If enough people complain, maybe they'll rethink this decision. It is unfortunately actively hostile to build tooling. Note that you can run npm install --no-audit to suppress them. If you already know that some-library@x.y.z has the fix that you need, but react-scripts hasn't yet updated to it, you can try your luck using that version forcefully.
Author gaearon
Top answer 1 of 2
8
I fought over this issue for a few hours yesterday and this morning and found this thread which seems to be the cause:
https://github.com/facebook/create-react-app/issues/10411
As well as this proposed fix:
https://github.com/facebook/create-react-app/pull/10412
It looks like it's a dependency issue with immer, react-scripts, and react-dev-tools. They say they will try and push out an update this weekend so I would look forward to that sooner than later.
2 of 2
1
I think I had the same problem today.
npm update react-dev-utils --depth 2 into the console helped me and resolved following:
High Prototype Pollution
Package immer
Dependency of react-scripts
Path react-scripts > react-dev-utils > immer
More info https://nodesecurity.io/advisories/1603
React
react.dev › blog › 2025 › 12 › 11 › denial-of-service-and-source-code-exposure-in-react-server-components
Denial of Service and Source Code Exposure in React Server Components – React
The patches published January 26th mitigate these DoS vulnerabilities. The original fix addressing the DoS in CVE-2025-55184 was incomplete.
Medium
medium.com › @ignatovich.dm › fixing-vulnerabilities-in-javascript-and-react-repositories-b0b1c4a61f51
Fixing Vulnerabilities in JavaScript and React Repositories | by Frontend Highlights | Medium
September 27, 2024 - Use npm update or yarn upgrade to update dependencies to their latest, stable versions. You can also use npm audit fix or yarn audit fix to automatically apply non-breaking updates for known vulnerabilities.
Reddit
reddit.com › r/reactjs › how to solve critical react scripts vulnerabilities
r/reactjs on Reddit: how to solve critical react scripts vulnerabilities
October 24, 2021 -
after npm audit i got these
found 27 vulnerabilities (8 moderate, 18 high, 1 critical) in 1985 scanned packages 27 vulnerabilities require manual review. See the full report for details.
and all are coming from react scripts the critical one is
Critical Prototype Pollution in immer Package immer Patched in >=9.0.6 Dependency of react-scripts
my project is ready and i have to deploy my react app this week and got this its a product app please help how can i resolve this thank you :D
Snyk
snyk.io › node-js › react
React npm - Vulnerabilities & Security Analysis
Fix known vulnerabilities in your Node.js, Java, .NET and Ruby apps: apply upgrades and security patches, prevent adding vulnerable dependencies, and get alerted about new security issues.
Wiz
wiz.io › blog › critical-vulnerability-in-react-cve-2025-55182
React2Shell (CVE-2025-55182): Critical React Vulnerability | Wiz Blog
December 3, 2025 - Immediate patching is required. Hardened releases for React and Next.js are available. Wiz Research data shows 39% of cloud environments contain vulnerable instances.
Relevant Software
relevant.software › blog › react-js-security-guide
React.js Security Best Practices in 2024: React Security
June 4, 2025 - However, what exactly allows malicious code to slip into such apps? Below, we will explore security flaws specific to React.js, those common for all frameworks, and ways to fix them both. When building a React-based application, make sure your software developers keep the following React vulnerabilities in mind:
The Hacker News
thehackernews.com › home › new react rsc vulnerabilities enable dos and source code exposure
New React RSC Vulnerabilities Enable DoS and Source Code Exposure
December 12, 2025 - The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure.
Medium
medium.com › front-end-weekly › react-security-vulnerabilities-how-to-protect-your-app-and-fix-them-eca241fd0ec6
React Security Vulnerabilities: How to Protect Your App and Fix Them | by Emma Jhonson | Frontend Weekly | Medium
April 19, 2022 - ... In the context of web applications, ... a user’s account. Moreover, in order to resolve React Vulnerabilities, you can hire React developers....
Microsoft
microsoft.com › home › defending against the cve-2025-55182 (react2shell) vulnerability in react server components
Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components | Microsoft Security Blog
December 15, 2025 - React and Next.js have released fixes for the impacted packages. Upgrade to one of the following patched versions (or later within the same release line): ... Because many frameworks and bundlers rely on these packages, make sure your framework-level updates also pull in the corrected dependencies. ... Patch all affected systems, starting with internet-facing workloads. Use Microsoft Defender Vulnerability ...
Andreidobrinski
andreidobrinski.com › blog › how-to-fix-github-security-issues-and-vulnerabilities-with-create-react-app
How to Fix GitHub Security Issues and Vulnerabilities with Create React App | Andrei Dobrinski's Blog
For react-scripts you can run yarn add --exact react-scripts@version-number with version-number being the one in the create-react-app changelog. Check the changelog more more specific instructions on how to migrate from certain versions to the current one. Be sure to yard add any other vulnerable packages that aren’t react-scripts.
Radixweb
radixweb.com › blog › reactjs-security-vulnerabilities-and-solutions
React JS Security Vulnerabilities: Identify and Fix Common Threats
October 28, 2024 - Discover the various React JS app security vulnerabilities and solutions to find effective strategies and safeguard your web applications.
GitHub
github.com › facebook › react › security › advisories › GHSA-fv66-9v8q-g76r
Critical Security Vulnerability in React Server Components
December 3, 2025 - There is an unauthenticated remote ... is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of: ... A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1....
Snyk
security.snyk.io › snyk vulnerability database › npm
react | Snyk
Known vulnerabilities in the react package. This does not include vulnerabilities belonging to this package’s dependencies. Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost. Fix for free
OX Security
ox.security › blog › react-cve-2025-55184-67779-55183-react-19-vulnerabilities
React Vulnerabilities Strike Again: Denial Of Service & Information Leakage in Patched Versions of React2Shell - OX Security
December 12, 2025 - The code for the fix handles this case by checking if the loop ran for more than a 1000 times then exiting the loop instead of continuing the value inspection loop. Source: https://github.com/facebook/react/commit/bd4289b116636286def76822dd...
Vercel
vercel.com › kb › bulletin › security-bulletin-cve-2025-55184-and-cve-2025-55183
Security Bulletin: CVE-2025-55184 and CVE-2025-55183 | Vercel Knowledge Base
You can quickly update your Next.js project to the right version by using the fix-react2shell-next command-line tool, which has been updated to fix these additional vulnerabilities.
FOSSA
fossa.com › home › blog › react security: how to fix common vulnerabilities
React Security: How to Fix Common Vulnerabilities | FOSSA Blog
February 4, 2022 - Learn about the common security vulnerabilities in React and best practices to prevent them.