React 19 Has a CVSS 10.0 Vulnerability — And Most Teams Don't Know

React 19 Has a CVSS 10.0 Vulnerability — And Most Teams Don't Know Most React 19 articles talk about Server Components and the new use() API. Few mention that a critical RCE vulnerability — React2Shell (CVE-2025-55182) — was discovered in React Server Components late 2025, scoring a perfect 10.0 on the CVSS severity scale. The exploit hits before authentication checks. One crafted request and an attacker potentially has full server access. Affected versions: 19.0.0, 19.1.0, 19.1.1, 19.2.0 Patched versions: 19.0.1, 19.1.2, 19.2.1 If you're running any of those affected versions in production — check your package.json right now. But React 19 Is Still Worth It Beyond the security story, React 19 is a genuinely significant release: Server Components are now stable — fetch directly from DB, ship zero JS for those components Server Actions replace the fetch boilerplate — "use server" and React handles loading, errors, optimistic updates New hooks — useActionState , useOptimistic , useFormSta