Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

React Team security patch release for CVE-2025-55182

Security Patch Release
First reported
Last updated
Happening score
H score 56
2 unique sources, 3 articles

Summary

Hide ▲

The React Team released fixed React Server Components package versions, closing a maximum-severity RCE path in affected deployments. The updates land in 19.0.1, 19.1.2, and 19.2.1 for react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The patch matters because the flaw can let an attacker achieve unauthenticated remote code execution through unsafe RSC payload decoding.

Cases

React2Shell exploitation with ransomware and broad probing (5)

Related Happenings

Linux distros patch release for Fragnasia (CVE-2026-46300)

Security Patch Release
First: 14.05.2026 10:34 Last: 14.05.2026 10:34 Sources 1

About this happening: Linux distros are rolling out **patches** for **CVE-2026-46300**, a high-severity kernel flaw that can let unprivileged local attackers gain **root** on vulnerable Linux systems....

Open Happening

Linux kernel Dirty Frag patch release (CVE-2026-43284, CVE-2026-43500)

Security Patch Release
First: 11.05.2026 17:30 Last: 11.05.2026 17:30 Sources 1

About this happening: **Major Linux distributions** are rolling out fixes for **Dirty Frag**, the **Linux kernel** patch release that covers **CVE-2026-43284** and **CVE-2026-43500**. The update matter...

Open Happening

Linux kernel security update for Copy Fail (CVE-2026-31431)

Security Patch Release
First: 30.04.2026 16:54 Last: 30.04.2026 16:54 Sources 1

About this happening: **Linux kernel** maintainers have fixed **CVE-2026-31431** and are rolling out updates to close a **local privilege escalation** flaw that lets an unprivileged attacker gain **roo...

Open Happening

PackageKit 1.3.5 security update (CVE-2026-41651)

Security Patch Release
First: 24.04.2026 20:28 Last: 24.04.2026 20:28 Sources 1

About this happening: **PackageKit version 1.3.5** was released to fix **CVE-2026-41651**, closing a **local privilege-escalation** path that could let Linux users gain **root permissions**. The update...

Open Happening

Nginx-ui 2.3.4 patch for CVE-2026-33032

Security Patch Release
First: 15.04.2026 16:00 Last: 15.04.2026 16:00 Sources 1

About this happening: **nginx-ui maintainers** shipped **version 2.3.4** to fix **CVE-2026-33032**, closing a critical security gap for **MCP-enabled** deployments. The patch matters because the flaw c...

Latest development: 15.04.2026 17:45

After Pluto Security disclosed the issue in **March 2026**, the maintainers shipped **version 2.3.4** to address **CVE-2026-33032**. The patch closed the vulnerability in the product's **AI (MCP) integration** before broader exploitation details were reported.

Open Happening

Timeline

  1. 03.12.2025 20:19 2 articles · 5mo ago

    Security researcher reports CVE-2025-55182 in React Server Components

    Initial Disclosure

    New Zealand-based security researcher Lachlan Davidson discovers and reports CVE-2025-55182, a maximum-severity flaw in React Server Components that can enable unauthenticated remote code execution through unsafe decoding of RSC payloads in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

    Show sources
    Open in new tab
  2. 03.12.2025 20:19 2 articles · 5mo ago

    React Team issues alert on unauthenticated RCE in React Server Components

    Technical Analysis Update

    React Team alerts users that CVE-2025-55182 allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints, while Wiz characterizes the issue as logical deserialization from unsafe RSC payload processing; the scope also includes Next.js using App Router and CVE-2025-66478 with a CVSS score of 10.0.

    Show sources
    Open in new tab