It never rains, but it pours: a security bug of the highest severity puts many servers around the world at risk

It’s been a bleak few months for the world of servers, cloud services and hyperscalers. With AWS going out of business in October and Cloudflare doing its best yo-yo impression in recent weeks, it would be nice to share some good news about this tech sector. Unfortunately, no, because it turns out that a very popular web application framework, heavily used on servers around the world, has a security bug of the highest severity.

The software packages in question are React Server Components and the developers have made a rather alarming statement about: critical security vulnerability earlier this week (via Register AND Wizard).

Specifically, the vulnerability “allows unauthenticated remote code execution by exploiting a vulnerability in the way React decodes payloads sent to React server function endpoints.” Translated into something more understandable, it simply means that someone can exploit a remote web request to a server running React JavaScript or a React-based application framework and ultimately execute suspicious code to extract data, replace systems, or whatever.

It’s so bad that it has a maximum severity rating CVE database. Fortunately, React’s developers created a patch almost immediately, although the somewhat restrained suggestion of “We recommend you update immediately” may not be enough to prevent anyone from successfully exploiting this vulnerability.

That’s because React, et al it is used in huge areas of the web that ordinary people know about. The Register reported that “Meta’s Facebook and Instagram, Netflix, Airbnb, Shopify, Hello Fresh, Walmart and Asana rely on it.” If you exploit Meta frequently, you should know that React is developed by it, so I think it’s protected to assume that all of its servers have already been patched.

However, the same cannot be said for everyone else, especially if The Register’s claim that an estimated 39% of all cloud environments contain this vulnerability is true. Even if it’s not close to this amount, a significant part of the network is used on a daily basis, so I wouldn’t be the least bit surprised if I wrote about another massive data breach on a server using React in the near future.

It is very popular XKCD image which precisely describes the entire interweb. When everything works, it’s nothing miniature of a newfangled miracle, but if one little thing goes wrong, the whole thing falls apart. Cloudflare’s substantial shutdown in November was caused by a configuration file that simply “outgrew the expected entry size,” and AWS’s demise was caused by a bug in its automation software.

In other words, even if every React instance is patched within nanoseconds of the vulnerability being announced, server administrators could still have another very bad day in many other ways.

The best PC gaming kit of 2025