Critical React Vulnerability Demands Immediate Patching as Exploitation Looms
SAN FRANCISCO, CA – A recently discovered, high-severity vulnerability in React, the widely used javascript libary for building user interfaces, puts a significant portion of the internet at risk adn is likely to be exploited imminently, security researchers warn. A patch was released just four days after the flaw was reported by researcher Lachlan Davidson to Meta, the project’s creator, but the ease of exploitation necessitates immediate action.
React powers major web platforms including Facebook, Instagram, Netflix, Airbnb, Shopify, hello Fresh, Walmart, and Asana, and numerous frameworks rely on potentially vulnerable React packages. Wiz, a cloud security firm, reports that 39 percent of cloud environments contain instances of Next.js or React in versions susceptible to CVE-2025-55182 and/or CVE-2025-66478. The vulnerability allows for near-certain remote code execution, according to testing by Wiz, which is in the process of being acquired by Google.
“Exploitation of this vulnerability had high fidelity, with a near 100 percent success rate and can be leveraged to a full remote code execution,” stated Gili Tikochinski, merav Bar, and Danielle aminov of wiz in a blog post Wednesday. “Due to the high severity and the ease of exploitation, immediate patching is required.”
While no in-the-wild exploitation has been reported as of today, security experts anticipate that malicious actors are already analyzing the patch and scanning for vulnerable systems.
“The chances of technical details and exploit code being made publicly available are high, so exploitation is likely to occur soon,” said Stephen Fewer, senior principal researcher at Rapid7.”It is indeed thus critical to patch this vulnerability promptly.”
cloudflare claims its Web Request Firewall (WAF) can protect applications using React if traffic is routed through the WAF. Developers and system administrators are urged to prioritize patching and review Cloudflare’s guidance.
