"React2Shell - CVE-2025-55182 In case you missed my email, a 10.0-scored vulnerability affecting React Server Components was unveiled last week. And it's a really nasty one, enabling unauthenticated remote code execution with a simple HTTP request. Many React meta-frameworks and custom setups are affected, in particular Next.js (v14-canary, v15, v16). If your app is affected, you really need to upgrade now!"
"Although no exploit was initially shared, infosec researchers and hackers quickly reverse-engineered the patch, and an exploit has been circulating online only ~30 hours after the initial disclosure. Hackers around the world have already been exploiting it at scale. There are even browser extensions to detect and exploit vulnerable sites. It wouldn't be surprising to see a worm exploiting it."
A high-severity React Server Components vulnerability (CVE-2025-55182) enables unauthenticated remote code execution via a simple HTTP request. Many meta-frameworks and custom setups are affected, with Next.js versions specifically called out. Researchers and attackers reverse-engineered the patch quickly, and a working exploit appeared online roughly 30 hours after disclosure. Active exploitation is occurring at scale, and browser extensions exist to detect and exploit vulnerable sites, raising the risk of a worm. Separately, React Native 0.83 was released (introducing <Activity>), and Reanimated 4.2 adds Shared Elements Transition support. Survey participation and a TanStack Start + Strapi tutorial are also mentioned.
Read at Thisweekinreact
Unable to calculate read time
Collection
[
|
...
]