• Information

React vulnerability: NoSpamProxy is not affected

Experts are warning of a critical security vulnerability in React Server Components (RSC), which are part of the popular JavaScript framework React. This vulnerability allows attackers to remotely execute their own code on vulnerable servers. The well-known Next.js framework is also affected. There is no danger for NoSpamProxy customers.

12.12.2025|Last edited:12.12.2025

Which security vulnerability is involved?

The newly discovered security vulnerability CVE-2025-55182 in React Server Components affects not only React itself, but also popular frameworks such as Next.js. According to current analyses, around 39% of all cloud environments are potentially at risk.

With a CVSS score of 10, this security vulnerability has the highest possible severity rating. The Next.js team has assigned its own CVE identifier, CVE-2025-66478. However, this refers to the same problem.

What are the risks?

The vulnerability allows attackers to perform remote code execution (RCE) by injecting malicious code. Among others, the following are affected:

  • React Router
  • RedwoodSDK
  • Waku
  • @parcel/rsc
  • @vitejs/plugin-rsc

According to security researchers at Wiz and Aikido, the vulnerability is based on “insecure deserialization” in the React framework’s Flight protocol. It can be exploited by a specially crafted HTTP request that results in code execution on the server. The researchers were able to reproduce the attack in their own tests with a success rate of nearly 100 percent.

How can you protect yourself?

To minimize the risks of the current security vulnerability in React and Next.js, it is crucial to update all affected frameworks and libraries to the latest versions in order to close known vulnerabilities. In addition, it is advisable to carefully review and implement the official guidance from React developers and recommendations from security vendors such as Wiz and Aikido. To supplement this, system monitoring should be stepped up to detect suspicious activity early and ward off potential attacks. Taking these steps promptly will significantly reduce risk and ensure a secure application environment.

No risk for NoSpamProxy customers

Since Aurelia is used in the development of NoSpamProxy instead of the React JavaScript framework, there is no risk for NoSpamProxy customers.

Information about the components used in NoSpamProxy can be found in the respective SBOM (Software Bill of Materials), which has been delivered with NoSpamProxy since version 15.2. This means that NoSpamProxy meets an important criterion of the Cyber Resilience Act (CRA) prepared by the European Commission. This obliges manufacturers to provide SBOMs if their products contain digital elements and are sold in the EU.

    Not yet using NoSpamProxy?

    NoSpamProxy reliably protects your company from dangerous emails and offers many other security features. Request your free trial now!

    Get your free NoSpamProxy trial now!
    AS4: Updating the root and intermediate certificates of the SmartMetering P...Info IconLink Wrapping als Angriffsvektor 800x800Link wrapping as an attack vector