Open source React executes malicious code with malformed HTML—no authentication needed.
“I usually don’t say this, but patch right freakin’ now,” one researcher wrote. “The React CVE listing (CVE-2025-55182) is a perfect 10.”
React versions 19.0.0, 19.1.0, 19.1.1, 19.2.0 contain the vulnerable code. Third-party components known to be affected include:
Vite RSC plugin
Parcel RSC plugin
React Router RSC preview
Open source React executes malicious code with malformed HTML—no authentication needed.
The largest incident yet is a warning that developers should urgently check package security, say experts.
Popular JavaScript modules including size-sensor and echarts-for-react hit as hijacked account closed GitHub warnings
Developers are urged to upgrade to latest version of the vm2 library to plug all vulnerabilities.
Drupal is warning users that it’s preparing a patch for a ‘highly critical’ vulnerability that may be exploited shortly after its…
Hundreds of software packages are affected, once again threatening enterprise credentials on coders’ machines.
