Back to Blogs
16px
How React Got Hacked: The Critical Server Components Vulnerability Explained
SecurityReactWeb DevelopmentVulnerabilityServer Components

How React Got Hacked: The Critical Server Components Vulnerability Explained

A critical security flaw (CVE-2025-55182) that allowed attackers to execute code on React servers without authentication. Learn what happened, how it was exploited, and how to keep your apps secure.

December 5, 20258 min read

Introduction

On December 3, 2025, the React team disclosed one of the most critical security vulnerabilities in web development history. Known as CVE-2025-55182 (also called "React4Shell" or "React2Shell"), this flaw allowed attackers to execute arbitrary code on React servers without any authentication—potentially compromising millions of websites. React powers nearly 40% of all cloud environments, including major platforms like Facebook, Netflix, Airbnb, and countless other applications. This vulnerability didn't just affect a few apps—it threatened a significant portion of the modern web.

TL;DR - What You Need to Know

This is a critical security issue that requires immediate action if you're using React Server Components.

  • What: Critical vulnerability (CVSS 10.0) in React Server Components allowing remote code execution
  • Affected: React 19.0, 19.1.0, 19.1.1, and 19.2.0 + frameworks like Next.js, React Router
  • Risk: Attackers could execute code on your server without authentication
  • Fix: Upgrade to React 19.0.1, 19.1.2, or 19.2.1 immediately

What Are React Server Components?

Before we dive into the vulnerability, let's understand what React Server Components (RSC) are. Think of them as React components that run on the server instead of in the browser. They allow you to fetch data directly from databases without exposing API endpoints, reduce the amount of JavaScript sent to browsers, and improve performance by doing heavy work on the server. Server Components communicate with the client through special endpoints called React Server Function endpoints. These endpoints receive serialized data (like JSON) and process it on the server. This is where the vulnerability existed.

How the Vulnerability Worked

The vulnerability was in how React decoded (deserialized) payloads sent to React Server Function endpoints. Here's how the attack worked:

React Server Components Attack Surface
  • Attacker crafts malicious request: Instead of sending normal data, they send specially crafted payloads designed to exploit the deserialization process
  • Server receives request: The React server receives this malicious payload at a Server Function endpoint
  • Deserialization fails: When React tries to decode the payload, the malicious code gets executed instead of being safely processed
  • Code execution: The attacker's code runs on your server with full server privileges

The Scariest Part

No authentication was required. Even if your app had authentication for users, this vulnerability could be exploited by anyone who could send an HTTP request to your server. This is why it received a CVSS score of 10.0—the maximum severity rating.

What Was Affected?

The vulnerability affected specific versions of React Server Components packages. Affected versions include React 19.0, 19.1.0, 19.1.1, and 19.2.0. The affected packages were react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Frameworks also affected include Next.js, React Router, Waku, Parcel RSC, Vite RSC, and any other framework using React Server Components.

Real-World Impact

Security researchers demonstrated that this vulnerability could be exploited with near 100% success rate. The potential damage was enormous:

  • Complete server takeover: Attackers could execute any code, gaining full control
  • Data theft: Access to databases, user information, and sensitive files
  • Credential exposure: Stealing API keys, database passwords, and other secrets
  • Supply chain attacks: Compromised servers could be used to attack other systems

How to Fix It (Immediate Action Required)

If you're using React Server Components, you need to upgrade immediately. Update React packages to version 19.2.1, 19.1.2, or 19.0.1. Also update your framework (Next.js, React Router, etc.) to the latest version. Verify your versions using 'npm list react react-dom' to ensure you're running a patched version.

Best Practices to Keep Your React Apps Secure

Security is not optional—it's a fundamental part of building reliable web applications.

  • Keep Dependencies Updated: Regularly update your React and framework dependencies. Set up automated dependency scanning tools like Dependabot or Snyk
  • Implement Proper Authentication: While this vulnerability bypassed authentication, implementing strong authentication and authorization is still crucial
  • Limit Network Exposure: Don't expose development servers to the internet. Use firewalls, VPNs, and restrict access to production servers
  • Monitor and Log: Implement logging and monitoring to detect suspicious activities
  • Validate and Sanitize Inputs: Always validate and sanitize all user inputs. Never trust data from external sources
  • Stay Informed: Subscribe to security advisories from React, your framework providers, and security organizations

Lessons Learned

This vulnerability was a wake-up call for the React ecosystem, demonstrating how a single vulnerability in a core library could potentially affect millions of applications.

  • No software is perfect: Even widely-used, well-maintained libraries can have critical vulnerabilities
  • Security is everyone's responsibility: Developers need to stay vigilant and update dependencies regularly
  • Response time matters: The React team's quick response and transparent disclosure helped minimize damage
  • Defense in depth: Multiple security layers are essential—don't rely on a single protection mechanism