Security and developer teams are running to keep ahead of a maximum-severity security flaw in popular open source React frameworks that threat actors can exploit to run remote code execution (RCE) attacks in applications, services, and cloud environments.

The team behind React JavaScript library and Vercel, which created the Next.js framework based on React, disclosed the vulnerability this week, urging users to apply fixes to the vulnerability, which garnered a maximum CVSS severity rating of 10.

Security pros said the flaw is relatively easy to abuse and, while no attacks in the wild have been reported, they expect it to be exploited soon. When that happens, the reach of the attacks could be significant. Security researchers with cybersecurity firm Wiz wrote that 39% of cloud environments contain instances of Next.js or React in versions vulnerable to CVE-2025-55182 (in React) and CVE-2025-66478 (Next.js), or both.

“Regarding Next.js, the framework itself is present in 69% of environments,” they wrote. “Notably, 61% of those environments have public applications running Next.js, meaning that 44% of all cloud environments have publicly exposed Next.js instances (regardless of the version running).”

Wide Use of React, Next.js

Justin Moore, senior manager of threat intel research at Palo Alto Networks’ Unit 42, said the flaw is a critical threat because it’s a “master key exploit, succeeding not by crashing the system, but by abusing its trust in incoming data structures.”

“The system executes the malicious payload with the same reliability as legitimate code because it operates exactly as intended, but on malicious input,” Moore said, adding that Unit 42 has identified more than 968,000 servers running common modern frameworks like React and Next.js, and that almost 40% of cloud environments are exposed. “The stability of this flaw means it’s no longer a question of if attackers will use it, but when it will be widely exploited.”

Tenable researchers wrote that last year, in the State of JavaScript annual survey of developers in the JavaScript ecosystem, 82% of respondents said they use React. They added that “what adds to the elevated severity is the fact that exploitation can occur in apps that support React Server Components, even if the React Server Function endpoints are not in use.”

Rapid Response

React was created by Meta but now is maintained as an open source project by the React Foundation. Security researcher Lachlan Davidson over the weekend reported the flaw to Meta, with an emergency patch pushed out four days later for React versions 19.0.1, 19.1.2, and 19.2.1. According to the React team, the security flaw is present in four versions of React in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

“Any framework or library bundling the react-server implementation is likely affected,” Wiz researchers wrote. Those include not only Next.js, but also Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku.

Bug Threatens React Server Components Users

According to the React team, the vulnerability is in React Server Components, which was introduced two years ago as a framework developers can use to build user interfaces, allowing React components to run exclusively on the server. The group warned that “even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.”

It added that “if your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.”

Wiz researchers wrote that the flaw enables unauthenticated RCE on servers because of insecure deserialization.

“The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk,” they wrote.

Vercel said the vulnerable React Server Component protocol lets untrusted in puts influence the behavior of service-side execution and that, in some conditions, a bad actors could create requests that trigger server execution paths that can result in RCE in environments that are unpatched.

A Significant Threat

Wiz researchers stressed how dangerous the flaw is.

“In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution,” they wrote. “The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks.”

Beyond React-issued patch, efforts are underway to help organizations protect themselves against attacks that exploit the vulnerability. Google wrote that it rolled out a new rule for its Cloud Armor web application firewall created to detect and block CVE-2025-55182-related exploitation attempts. Available now, it aims to protect internet-facing applications and services that use global or regional application load balancers.

Cloudflare wrote that it has created and deployed a new protect to address the React security flaw and that customers are automatically protected. In addition, a security assessment tool developed by a penetration tester that goes by the name “fatguru” and which is available on GitHub is a Python tool designed to scan for and detect React Server Components systems that might be exposed to the vulnerability.