tech

December 4, 2025

Admins and defenders gird themselves against maximum-severity server vuln

Open source React executes malicious code with malformed HTML—no authentication needed.

Admins and defenders gird themselves against maximum-severity server vuln

TL;DR

  • A maximum-severity vulnerability (rated 10/10) has been found in React Server Components.
  • The vulnerability allows for easy exploitation via a single HTTP request, enabling remote code execution.
  • It affects widely used websites and cloud environments, with an estimated 6% of websites and 39% of cloud environments using React.
  • The vulnerability is due to unsafe deserialization in the Flight protocol.
  • Affected React versions include 19.0.1, 19.1.2, and 19.2.1, and several third-party components are also impacted.
  • Security firms Wiz and Aikido are urging immediate updates and code scanning.
  • Exploitation is described as having near 100% reliability and can lead to full remote code execution.

Continue reading
the original article

Made withNostr