An urgent and extremely dangerous vulnerability was discovered in React and . It is similar in nature to Log4j. If you are using React for your BACKEND, I need you to upgrade your React and frameworks right now. CVE-2025-55182 / CVE-2025-66478 Specifics: React Server Components (RSC) and React Server Functions are affected. Risk: Attackers can send a request (without logging in or creating a user) and gain remote code execution (control over your web server). Researchers have found they are able to take control almost 100% of the time according to this article: . There could not be a more serious security flaw in a web application than this. This affects default configurations, meaning almost everyone. What do you do? * Tell your security team in case they don't know * Make a list of all apps using React or * Check to see if you are using any of the known vulnerable versions: React: 19.0 / / / * Upgrade to a safe version: React: , , OR BETTER , or latest 15.x / 16.x stable patched versions OR BETTER * Scan with a software composition analysis tool to see if you're using it in places you didn't realize * IF YOU CANNOT UPGRADE: Assume those apps are unsafe and turn them off if you can (seriously, this is an emergency). If you cannot, treat them like a bomb went off and put a network firewall around them, monitor them and work with your security team on it. * Read your app logs and look for strange behavior * Keep your security team informed of what you see * Treat this as the emergency it is Keep your eye on the React Framework Blog: More version suggestions here if you are struggling: Hats off to the React team for handling this quickly and well.