Patch Now! Critical Malware Vulnerability Threatens React
The JavaScript programming library React and certain apps created with it are vulnerable. Security updates are available for download.
(Image: Artur Szczybylo/Shutterstock.com)
Software developers working with React should immediately update the JavaScript programming library to the latest version for security reasons. If this is not done, attackers can exploit a vulnerability and completely compromise systems by executing malicious code. Security updates are available.
The Threat
A warning message indicates that React Server Components are affected by the "critical" vulnerability (CVE-2025-55182) with the highest rating (CVSS Score 10 out of 10). The developers state that the vulnerability specifically threatens the following components of React versions 19.0, 19.1.0, 19.1.1, and 19.2.0:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
They further explain that apps created with React that do not use React Server functions are also likely to be vulnerable. The mere possibility of being able to use them is sufficient for a potential attack.
The developers assure that they have resolved the security issue in versions 19.0.1, 19.1.2, and 19.2.1. The React frameworks and bundlers next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk are also vulnerable. The developers plan to provide a solution for securing these cases later. Admins can find further information on the update process in the warning message.
Are Attacks Imminent?
Attacks are said to be possible remotely and without authentication. In app development, attackers can manipulate HTTP requests within the context of communication between clients and servers, ultimately executing malicious code. Further details about the vulnerability are expected to follow at a later date.
Videos by heise
A security researcher has dubbed the React vulnerability React2Shell, in allusion to the Log4j vulnerability. In a post on X, they mention a hash value. At present, it is unclear what the origin of this value is. A connection to a Proof of Concept Exploit (PoC) is plausible. However, the statement from Tenable security researchers contradicts this, stating that there are currently no indications of a PoC for attacking instances with default configurations.
(des)
