Lessons learned from React's RCE

In the last few weeks, 3 vulnerabilities where found in the React web application framework. The first one, a server-side remote code execution (CVE-2025-55182) is the worst a vulnerability can get for a web framework. The two other ones are a denial of service (CVE-2025-67779), and a source code exposure (CVE-2025-55183), much less dangerous, yet still impactful. There are already a lot of writeups published talking about how these vulnerabilities happened, but I didn't see much about being said about preventative measures that would have limited the damage. In this entry, I'll explore potential mitigations that could have been applied ahead of time to prevent these vulnerabilities or at least limit their severity.

sgued.fr · SGued