Meta released patches this week for a critical vulnerability in React Server Components, a defect that could let attackers run code on servers that use the popular JavaScript framework. The flaw, tracked as CVE-2025-55182, affects the server-side libraries behind React, originally developed inside Facebook and now maintained by the React Foundation. It has prompted rapid updates across cloud providers, hosting services and modern web frameworks that depend on React’s server features.
The issue centers on how React Server Components process structured messages sent from the browser. Those messages act like envelopes the server opens and interprets to fetch data or render components. The vulnerability allowed attackers to craft their own envelopes containing harmful instructions. Before the patch, affected servers would follow those instructions without verifying the sender. In plain terms, the server was opening untrusted mail and acting on its contents, leading to potential remote code execution.
Meta received the report on Nov. 29 and released fixes on Dec. 1 for React versions 19.0.1, 19.1.2 and 19.2.1. The flaw was disclosed publicly two days later by Wiz. Cloudflare deployed network-wide firewall protections on Dec. 2, and other vendors issued guidance to help customers block malicious requests while they updated software. CISA later added the vulnerability to its Known Exploited list after early signs of probing activity.
The breadth of the response reflects React’s reach across the web. Frameworks such as Next.js, React Router, Redwood and others bundle the affected server libraries automatically. In many cases, developers were using React Server Components indirectly, through features enabled by their framework. Some organizations have discovered they were affected even though they never configured server components themselves.
Security firms say the flaw’s potential impact depends on where React workloads sit within an environment. Systems that are directly reachable from the internet and that process React Server Component traffic face the highest risk. Many others are shielded behind reverse proxies, firewalls or internal-only architectures. Cloud telemetry from Wiz found vulnerable libraries in roughly 39% of cloud environments, though exposure varies widely based on deployment models.
The React team, major cloud providers and security vendors have urged organizations to update frameworks and rebuild affected applications promptly. Next.js maintainers have released patched versions for branches 15 and 16. Cloudflare, Check Point, Google Cloud and others continue to monitor for new exploit attempts and adjust protective rules.
While the flaw is serious, the coordinated response has helped reduce risk quickly. The incident underscores how tightly connected modern web frameworks are and how a defect in an upstream library can cascade into dozens of downstream tools. It also highlights a familiar lesson: even long-known issues like unsafe deserialization remain relevant as application stacks grow more complex.
