Summary iPlain-English security verdict for React, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
React currently scores 100/100 — healthy. 1 actively-exploited vulnerability (CISA KEV) affects older releases (e.g. CVE-2025-55182) — staying on the latest supported version keeps you clear of it. The latest supported release is 19.2.7. It's on the latest patch with no significant known issues — keep it current.
Disclosure trend iNew CVEs published for React each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
1 of its known vulnerability is linked to ransomware campaigns (CISA KEV).
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2025-55182 CRITICAL exploited ransomware Insecure deserialization EPSS 100% → see advisory CVE-2025-55184 HIGH Insecure deserialization EPSS 66% → fixed in 19.2.2 CVE-2025-55183 MEDIUM EPSS 62% → fixed in 19.2.2Get alerted about React
Be emailed the moment React gets a newly exploited vulnerability (CISA KEV) or a release reaches end of life. Free · double opt-in · unsubscribe anytime.
We email only on real events for React — no marketing, no sharing, and we never know what you run. Track your whole stack →
Versions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.
How long each React release line is supported — and when it sunsets. Select a line for its full report.
19 latest 19.2.7 Supported 19.2.7 → 18 latest 18.3.1 Supported 18.3.1 → 17 latest 17.0.2 Supported 17.0.2 → 16 latest 16.14.0 Supported 16.14.0 → 15 latest 15.7.0 Supported 15.7.0 → See all upcoming end-of-life dates →Frequently asked
Is React safe and patched?
React currently scores 100/100 — healthy. 1 actively-exploited vulnerability (CISA KEV) affects older releases (e.g. CVE-2025-55182) — staying on the latest supported version keeps you clear of it. The latest supported release is 19.2.7. It's on the latest patch with no significant known issues — keep it current.
What should I do about React now?
Upgrade React to the latest supported release (19.2.7) or later, which clears the actively-exploited issues affecting older versions, then confirm against Meta's official advisory.
When does React reach end-of-life?
The latest supported React release is 19.2.7. After end-of-life a release no longer receives security patches.
Which versions of React are still receiving security updates?
Supported React release lines (latest 19.2.7): 19, 18, 17, 16, 15. End-of-life releases no longer receive security patches.
Informational only, from public data (NVD · CISA KEV · EPSS · endoflife.date), and can lag or miss vendor-specific fixes. Always confirm against Meta's official advisory before you patch or upgrade — React official site ↗