React 19 Has a CVSS 10.0 Vulnerability — And Most Teams Don't Know

Vishwam Dhavale — Tue, 31 Mar 2026 07:20:12 +0000

React 19 Has a CVSS 10.0 Vulnerability — And Most Teams Don't Know

Most React 19 articles talk about Server Components and the new use() API.

Few mention that a critical RCE vulnerability — React2Shell (CVE-2025-55182) — was discovered in React Server Components late 2025, scoring a perfect 10.0 on the CVSS severity scale.

The exploit hits before authentication checks. One crafted request and an attacker potentially has full server access.

Affected versions: 19.0.0, 19.1.0, 19.1.1, 19.2.0

Patched versions: 19.0.1, 19.1.2, 19.2.1

If you're running any of those affected versions in production — check your package.json right now.

But React 19 Is Still Worth It

Beyond the security story, React 19 is a genuinely significant release:

Server Components are now stable — fetch directly from DB, ship zero JS for those components
Server Actions replace the fetch boilerplate — "use server" and React handles loading, errors, optimistic updates
New hooks — useActionState, useOptimistic, useFormStatus simplify patterns that used to need 3-4 state variables
Native <title> and <meta> support — drop react-helmet for most use cases
use() API — await promises directly in components, no more useEffect for data fetching

What Actually Breaks During Upgrade

React 19 is mostly backward compatible but these will catch you:

Legacy lifecycle methods (componentWillMount, componentWillReceiveProps) — replace with hooks
Libraries relying on React internals — check compatibility before upgrading
Code assuming synchronous state updates — setState() then immediately reading state will behave differently

I wrote a full breakdown covering all of this — the new features, what breaks, how to migrate safely, and the full security vulnerability story.

👉 Full article: https://www.vishwamdhavale.com/blog/react-19-breaking-changes

Are you already on React 19 in production? Drop a comment — curious what your upgrade experience looked like.

react #javascript #webdev #frontend #security

What Being a Founding Engineer Actually Means (Beyond Writing Code)

Vishwam Dhavale — Thu, 26 Feb 2026 17:35:25 +0000

Most people think a founding engineer writes code.

That’s maybe 30% of the job.

The rest is ambiguity, architectural responsibility, and making decisions that shape a product long before scale is visible.

In early-stage environments, there is no predefined system.
No backend team.
No safety net.

You are the system.

1. You Define the Architecture From Zero

You don’t inherit decisions.

You make them:

Database structure
Auth model
API design
Deployment strategy
What to build now vs later
What to deliberately avoid

Every shortcut becomes future technical debt.
Every overengineered abstraction slows velocity.

You operate in that tension daily.

2. You Build for Change, Not Just Today

Early-stage products evolve fast.

Features pivot.
Data models change.
Integrations expand.

If the foundation is tightly coupled, iteration becomes expensive.

So you think ahead:

Where will this break?
What will scale?
What must remain flexible?

You optimize for adaptability — not perfection.

3. You Make Decisions Without Perfect Information

There’s no clear roadmap.

You don’t know:

What user growth will look like
What features will dominate usage
Which integrations will matter most

Yet you still have to choose:

Simple now vs scalable later
Speed vs structure
Abstraction vs clarity

There’s no formula.

Only judgment.

4. Ownership Is Structural, Not Emotional

If something breaks, it’s your system.

If performance degrades, it’s your data model.

If deployment fails, it’s your infra decision.

You can’t hide behind “that’s not my module.”

A founding engineer doesn’t just ship code.

They carry architectural responsibility.

5. It’s a Mindset Shift

The difference isn’t seniority.

It’s perspective.

You stop thinking:

“How do I implement this feature?”

And start thinking:

“How does this decision affect the system 6 months from now?”

That shift changes how you design everything.

Why This Matters

Early products don’t fail because of missing features.

They fail because the foundation can’t support growth.

Being a founding engineer means designing that foundation — under uncertainty.

This is just a high-level view. The detailed breakdown of how I design and ship backend systems is here:

You can see more of my work and writing here →
https://www.vishwamdhavale.com

DEV Community: Vishwam Dhavale

React 19 Has a CVSS 10.0 Vulnerability — And Most Teams Don't Know