Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down again

Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down again

BlogsMedia
Yanac

A few days ago, CVE-2025–55182 was revealed alongside an excellent write up: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsThe disclosure write up is great — it’s full of facts, and explains when you are and aren’t vulnerable.I don’t think anybody knows how to parse it and people have started taking actions before even knowing what they’re doing.To be vulnerable you have to be running:React v19 — released within the last yearUsing React Server Components — a new functionality also within the last yearThis is a niche setup. A vast majority of organisations won’t have this setup yet, let alone internet facing. The vulnerability was caught quickly after it was first introduced in the new feature by the maintainers, so orgs can fix it if they actually use it quickly too.It’s the same situation with Next.js, you’d need to be on a new version and be using React Server Components to be vulnerable — which is all new.If you’re like “React Router is vuln!” you’re right, but it’s the same situation — you’d need to be on a new version, and have enabled experimental support for React Server Components too.The overreactionLinkedIn is absolutely rammed with people sharing apocalyptic warnings and fake proof of concepts.People are spraying the internet attempting to exploit this — attempting is the operative word — so people are having a meltdown about that too.InfoSecCloudflare managed to take down their network globally, felling every customer website and about a quarter of the internet, by rushing out a change:What to actually doCalm down.Check with your developers and suppliers if they even use React v19 yet. They most probably don’t, in which case you aren’t vulnerable.If they do, calmly find out if they use React Server Components. They most probably don’t, in which case you aren’t vulnerable.Then, if needed, patch.The end isn’t nigh, the cloud isn’t falling, stop running off cliffs like Lemmings because of warnings from the cybersecurity industry over this. The primary incentive being to scare is not a good one.Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down again was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.DoublePulsar – MediumRead More