Critical React Server Components Security Vulnerability: CVE-2025-55182

On December 3rd, 2025, the React team disclosed a critical security vulnerability that has sent shockwaves through the React development community. Designated as CVE-2025-55182 and rated CVSS 10.0 (the highest severity rating), this vulnerability allows unauthenticated remote code execution in React Server Components—a feature that has become central to modern React applications.

⚠️ Critical Security Alert

Immediate action required: If you're using React Server Components, you may be vulnerable to remote code execution attacks. Upgrade to patched versions immediately.

Understanding the Vulnerability

The vulnerability exists in how React decodes payloads sent to React Server Function endpoints. An unauthenticated attacker can craft a malicious HTTP request that, when deserialized by React, achieves remote code execution on the server.

What Are React Server Components?

React Server Components (RSC) allow React code to run on the server, enabling developers to build applications that combine client-side interactivity with server-side rendering. React Server Functions enable clients to call functions on the server, creating a seamless bridge between client and server code.

How It Works: React translates client requests into HTTP requests that are forwarded to the server. On the server, React translates the HTTP request into a function call and returns data to the client. The vulnerability exists in this deserialization process.

The Attack Vector

The vulnerability allows an attacker to:

Send malicious HTTP requests to any Server Function endpoint
Exploit the payload deserialization process
Execute arbitrary code on the server without authentication
Potentially gain full control of the server

Important Note: Even if your app doesn't implement any React Server Function endpoints, you may still be vulnerable if your app supports React Server Components. The vulnerability affects the underlying infrastructure that powers RSC.

Affected Versions

The vulnerability is present in the following React versions:

React Version	Status	Fixed Version
19.0.0	Vulnerable	19.0.1
19.1.0	Vulnerable	19.1.2
19.1.1	Vulnerable	19.1.2
19.2.0	Vulnerable	19.2.1

Affected Packages

The vulnerability affects these specific React packages:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

Am I Affected?

You are NOT affected if:

Your app's React code does not use a server
Your app does not use a framework, bundler, or bundler plugin that supports React Server Components
You're using React versions prior to 19.0.0

You ARE affected if:

You're using React 19.0.0, 19.1.0, 19.1.1, or 19.2.0
Your application uses React Server Components
You're using Next.js, React Router, Waku, or other frameworks that support RSC
You're using any of the affected packages listed above

Affected Frameworks and Bundlers

The following React frameworks and bundlers are affected because they depend on, have peer dependencies for, or include the vulnerable React packages:

Next.js

Most popular React framework, widely affected

React Router

If using unstable RSC APIs

Waku

React framework with RSC support

@parcel/rsc

Parcel bundler RSC plugin

@vitejs/plugin-rsc

Vite RSC plugin

rwsdk (Redwood SDK)

Redwood framework SDK

Immediate Action Required: Upgrade Instructions

If you're using any affected versions, upgrade immediately. Here are the specific upgrade instructions for each framework:

Next.js

All Next.js users should upgrade to the latest patched version in their release line:

# For Next.js 15.0.x
npm install next@15.0.5

# For Next.js 15.1.x
npm install next@15.1.9

# For Next.js 15.2.x
npm install next@15.2.6

# For Next.js 15.3.x
npm install next@15.3.6

# For Next.js 15.4.x
npm install next@15.4.8

# For Next.js 15.5.x
npm install next@15.5.7

# For Next.js 16.0.x
npm install next@16.0.7

Important for Canary Users: If you're on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:

npm install next@14

React Router

If you're using React Router's unstable RSC APIs, upgrade the following packages:

npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest

Expo

npm install react@latest react-dom@latest react-server-dom-webpack@latest

Redwood SDK

Ensure you're on rwsdk>=1.0.0-alpha.0:

# For latest beta version
npm install rwsdk@latest

# Upgrade React packages
npm install react@latest react-dom@latest react-server-dom-webpack@latest

Waku

npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest

Vite RSC Plugin

npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest

Direct Package Updates

If you're using these packages directly:

# react-server-dom-parcel
npm install react@latest react-dom@latest react-server-dom-parcel@latest

# react-server-dom-turbopack
npm install react@latest react-dom@latest react-server-dom-turbopack@latest

# react-server-dom-webpack
npm install react@latest react-dom@latest react-server-dom-webpack@latest

Verification Steps

After upgrading, verify that your application is secure:

Check Package Versions:
```
npm list react react-dom react-server-dom-webpack
```
Ensure you're running patched versions (19.0.1, 19.1.2, or 19.2.1)
Test Your Application: Run your test suite and verify that all functionality works correctly after the upgrade
Review Dependencies: Check if any of your dependencies are still using vulnerable versions
Monitor for Issues: Watch for any unusual behavior or errors after the upgrade

Hosting Provider Mitigations

The React team has worked with hosting providers to apply temporary mitigations. However, you should not depend on these to secure your app. You must still update immediately.

Critical Reminder: Hosting provider mitigations are temporary measures. They do not replace the need to upgrade your application. Always upgrade to patched versions as soon as possible.

Understanding the Impact

CVSS 10.0: What It Means

A CVSS (Common Vulnerability Scoring System) score of 10.0 is the highest possible severity rating. This indicates:

Critical Impact: Complete system compromise is possible
No Authentication Required: Attackers don't need to be logged in
Remote Exploitation: Can be exploited over the network
Code Execution: Allows arbitrary code execution on the server

Potential Consequences

If exploited, this vulnerability could allow attackers to:

Execute arbitrary code on your server
Access sensitive data and databases
Modify or delete files
Install backdoors or malware
Compromise user accounts and credentials
Use your server for malicious activities

Timeline of Events

Understanding the timeline helps contextualize the severity and response:

Date	Event
November 29th	Lachlan Davidson reported the security vulnerability via Meta Bug Bounty
November 30th	Meta security researchers confirmed and began working with the React team on a fix
December 1st	A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
December 3rd	The fix was published to npm and publicly disclosed as CVE-2025-55182

The rapid response—from discovery to fix in just 5 days—demonstrates the severity of the issue and the React team's commitment to security.

Best Practices for Security

While this specific vulnerability has been patched, here are best practices to keep your React applications secure:

1. Keep Dependencies Updated

Regularly update React and related packages
Use npm audit to check for known vulnerabilities
Set up automated dependency updates where possible
Subscribe to security advisories for your dependencies

2. Implement Security Headers

Use security headers to protect against various attack vectors:

Content Security Policy (CSP)
X-Frame-Options
X-Content-Type-Options
Strict-Transport-Security (HSTS)

3. Validate and Sanitize Input

Always validate and sanitize user input, especially when it's used in server-side operations:

Validate input types and formats
Sanitize data before processing
Use parameterized queries for database operations
Implement rate limiting on API endpoints

4. Implement Authentication and Authorization

While this vulnerability didn't require authentication, proper access controls are essential:

Implement authentication for sensitive endpoints
Use role-based access control (RBAC)
Validate user permissions before executing operations
Use secure session management

5. Monitor and Log

Implement comprehensive logging and monitoring:

Log all security-relevant events
Monitor for unusual patterns or behaviors
Set up alerts for potential security incidents
Regularly review logs for suspicious activity

What to Do If You Suspect a Breach

If you believe your application may have been compromised:

Immediately upgrade to patched versions
Review server logs for suspicious activity or unusual requests
Check for unauthorized changes to files, databases, or configurations
Rotate all credentials including API keys, database passwords, and access tokens
Notify affected users if personal data may have been compromised
Consider engaging a security professional for a thorough assessment
Report the incident to relevant authorities if required by law

Lessons Learned

This vulnerability highlights several important lessons for the React ecosystem:

1. The Importance of Security Research

The vulnerability was discovered through Meta's Bug Bounty program, demonstrating the value of:

Responsible disclosure programs
Security research and penetration testing
Community involvement in security

2. Rapid Response is Critical

The React team's quick response—fixing the issue within days—shows the importance of:

Having security response procedures in place
Coordinating with affected parties
Providing clear upgrade paths

3. Server-Side Code Requires Extra Care

As React moves more functionality to the server, developers must:

Understand the security implications of server-side code
Implement proper input validation and sanitization
Stay informed about security best practices

Conclusion

CVE-2025-55182 is a critical vulnerability that requires immediate action. If you're using React Server Components, upgrade to patched versions immediately. The React team has provided clear upgrade paths for all affected frameworks and packages.

Key Takeaways:

This is a critical vulnerability (CVSS 10.0) requiring immediate action
Affects React 19.0.0, 19.1.0, 19.1.1, and 19.2.0
Fixed versions: 19.0.1, 19.1.2, and 19.2.1
Upgrade instructions are available for all affected frameworks
Don't rely on hosting provider mitigations—upgrade your code

Security is an ongoing process, not a one-time fix. Stay informed about security updates, keep your dependencies current, and implement security best practices in your applications. The React ecosystem is strong, and with proper security measures, we can continue building amazing applications safely.

Stay Secure

For the latest security updates and advisories, follow the React blog and subscribe to security notifications for your dependencies.

⚠️ Critical Security Alert

Immediate action required: If you're using React Server Components, you may be vulnerable to remote code execution attacks. Upgrade to patched versions immediately.

Understanding the Vulnerability

What Are React Server Components?

The Attack Vector

The vulnerability allows an attacker to:

Send malicious HTTP requests to any Server Function endpoint
Exploit the payload deserialization process
Execute arbitrary code on the server without authentication
Potentially gain full control of the server

Affected Versions

The vulnerability is present in the following React versions:

React Version	Status	Fixed Version
19.0.0	Vulnerable	19.0.1
19.1.0	Vulnerable	19.1.2
19.1.1	Vulnerable	19.1.2
19.2.0	Vulnerable	19.2.1

Affected Packages

The vulnerability affects these specific React packages:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

Am I Affected?

You are NOT affected if:

Your app's React code does not use a server
Your app does not use a framework, bundler, or bundler plugin that supports React Server Components
You're using React versions prior to 19.0.0

You ARE affected if:

You're using React 19.0.0, 19.1.0, 19.1.1, or 19.2.0
Your application uses React Server Components
You're using Next.js, React Router, Waku, or other frameworks that support RSC
You're using any of the affected packages listed above

Affected Frameworks and Bundlers

The following React frameworks and bundlers are affected because they depend on, have peer dependencies for, or include the vulnerable React packages:

Next.js

Most popular React framework, widely affected

React Router

If using unstable RSC APIs

Waku

React framework with RSC support

@parcel/rsc

Parcel bundler RSC plugin

@vitejs/plugin-rsc

Vite RSC plugin

rwsdk (Redwood SDK)

Redwood framework SDK

Immediate Action Required: Upgrade Instructions

If you're using any affected versions, upgrade immediately. Here are the specific upgrade instructions for each framework:

Next.js

All Next.js users should upgrade to the latest patched version in their release line:

# For Next.js 15.0.x
npm install next@15.0.5

# For Next.js 15.1.x
npm install next@15.1.9

# For Next.js 15.2.x
npm install next@15.2.6

# For Next.js 15.3.x
npm install next@15.3.6

# For Next.js 15.4.x
npm install next@15.4.8

# For Next.js 15.5.x
npm install next@15.5.7

# For Next.js 16.0.x
npm install next@16.0.7

Important for Canary Users: If you're on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:

npm install next@14

React Router

If you're using React Router's unstable RSC APIs, upgrade the following packages:

npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest

Expo

npm install react@latest react-dom@latest react-server-dom-webpack@latest

Redwood SDK

Ensure you're on rwsdk>=1.0.0-alpha.0:

# For latest beta version
npm install rwsdk@latest

# Upgrade React packages
npm install react@latest react-dom@latest react-server-dom-webpack@latest

Waku

npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest

Vite RSC Plugin

npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest

Direct Package Updates

If you're using these packages directly:

# react-server-dom-parcel
npm install react@latest react-dom@latest react-server-dom-parcel@latest

# react-server-dom-turbopack
npm install react@latest react-dom@latest react-server-dom-turbopack@latest

# react-server-dom-webpack
npm install react@latest react-dom@latest react-server-dom-webpack@latest

Verification Steps

After upgrading, verify that your application is secure:

Check Package Versions:
```
npm list react react-dom react-server-dom-webpack
```
Ensure you're running patched versions (19.0.1, 19.1.2, or 19.2.1)
Test Your Application: Run your test suite and verify that all functionality works correctly after the upgrade
Review Dependencies: Check if any of your dependencies are still using vulnerable versions
Monitor for Issues: Watch for any unusual behavior or errors after the upgrade

Hosting Provider Mitigations

The React team has worked with hosting providers to apply temporary mitigations. However, you should not depend on these to secure your app. You must still update immediately.

Critical Reminder: Hosting provider mitigations are temporary measures. They do not replace the need to upgrade your application. Always upgrade to patched versions as soon as possible.

Understanding the Impact

CVSS 10.0: What It Means

A CVSS (Common Vulnerability Scoring System) score of 10.0 is the highest possible severity rating. This indicates:

Critical Impact: Complete system compromise is possible
No Authentication Required: Attackers don't need to be logged in
Remote Exploitation: Can be exploited over the network
Code Execution: Allows arbitrary code execution on the server

Potential Consequences

If exploited, this vulnerability could allow attackers to:

Execute arbitrary code on your server
Access sensitive data and databases
Modify or delete files
Install backdoors or malware
Compromise user accounts and credentials
Use your server for malicious activities

Timeline of Events

Understanding the timeline helps contextualize the severity and response:

Date	Event
November 29th	Lachlan Davidson reported the security vulnerability via Meta Bug Bounty
November 30th	Meta security researchers confirmed and began working with the React team on a fix
December 1st	A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
December 3rd	The fix was published to npm and publicly disclosed as CVE-2025-55182

The rapid response—from discovery to fix in just 5 days—demonstrates the severity of the issue and the React team's commitment to security.

Best Practices for Security

While this specific vulnerability has been patched, here are best practices to keep your React applications secure:

1. Keep Dependencies Updated

Regularly update React and related packages
Use npm audit to check for known vulnerabilities
Set up automated dependency updates where possible
Subscribe to security advisories for your dependencies

2. Implement Security Headers

Use security headers to protect against various attack vectors:

Content Security Policy (CSP)
X-Frame-Options
X-Content-Type-Options
Strict-Transport-Security (HSTS)

3. Validate and Sanitize Input

Always validate and sanitize user input, especially when it's used in server-side operations:

Validate input types and formats
Sanitize data before processing
Use parameterized queries for database operations
Implement rate limiting on API endpoints

4. Implement Authentication and Authorization

While this vulnerability didn't require authentication, proper access controls are essential:

Implement authentication for sensitive endpoints
Use role-based access control (RBAC)
Validate user permissions before executing operations
Use secure session management

5. Monitor and Log

Implement comprehensive logging and monitoring:

Log all security-relevant events
Monitor for unusual patterns or behaviors
Set up alerts for potential security incidents
Regularly review logs for suspicious activity

What to Do If You Suspect a Breach

If you believe your application may have been compromised:

Immediately upgrade to patched versions
Review server logs for suspicious activity or unusual requests
Check for unauthorized changes to files, databases, or configurations
Rotate all credentials including API keys, database passwords, and access tokens
Notify affected users if personal data may have been compromised
Consider engaging a security professional for a thorough assessment
Report the incident to relevant authorities if required by law

Lessons Learned

This vulnerability highlights several important lessons for the React ecosystem:

1. The Importance of Security Research

The vulnerability was discovered through Meta's Bug Bounty program, demonstrating the value of:

Responsible disclosure programs
Security research and penetration testing
Community involvement in security

2. Rapid Response is Critical

The React team's quick response—fixing the issue within days—shows the importance of:

Having security response procedures in place
Coordinating with affected parties
Providing clear upgrade paths

3. Server-Side Code Requires Extra Care

As React moves more functionality to the server, developers must:

Understand the security implications of server-side code
Implement proper input validation and sanitization
Stay informed about security best practices

Conclusion

Key Takeaways:

This is a critical vulnerability (CVSS 10.0) requiring immediate action
Affects React 19.0.0, 19.1.0, 19.1.1, and 19.2.0
Fixed versions: 19.0.1, 19.1.2, and 19.2.1
Upgrade instructions are available for all affected frameworks
Don't rely on hosting provider mitigations—upgrade your code

Stay Secure

For the latest security updates and advisories, follow the React blog and subscribe to security notifications for your dependencies.

Critical React Server Components Security Vulnerability: CVE-2025-55182 - What You Need to Know

⚠️ Critical Security Alert

Understanding the Vulnerability

What Are React Server Components?

The Attack Vector

Affected Versions

Affected Packages

Am I Affected?

Affected Frameworks and Bundlers

Next.js

React Router

Waku

@parcel/rsc

@vitejs/plugin-rsc

rwsdk (Redwood SDK)

Immediate Action Required: Upgrade Instructions

Next.js

React Router

Expo

Redwood SDK

Waku

Vite RSC Plugin

Direct Package Updates

Verification Steps

Hosting Provider Mitigations

Understanding the Impact

CVSS 10.0: What It Means

Potential Consequences

Timeline of Events

Best Practices for Security

1. Keep Dependencies Updated

2. Implement Security Headers

3. Validate and Sanitize Input

4. Implement Authentication and Authorization

5. Monitor and Log

What to Do If You Suspect a Breach

Lessons Learned

1. The Importance of Security Research

2. Rapid Response is Critical

3. Server-Side Code Requires Extra Care

Conclusion

Key Takeaways:

Start Your Online Store with Shopify

Critical React Server Components Security Vulnerability: CVE-2025-55182 - What You Need to Know

⚠️ Critical Security Alert

Understanding the Vulnerability

What Are React Server Components?

The Attack Vector

Affected Versions

Affected Packages

Am I Affected?

Affected Frameworks and Bundlers

Next.js

React Router

Waku

@parcel/rsc

@vitejs/plugin-rsc

rwsdk (Redwood SDK)

Immediate Action Required: Upgrade Instructions

Next.js

React Router

Expo

Redwood SDK

Waku

Vite RSC Plugin

Direct Package Updates

Verification Steps

Hosting Provider Mitigations

Understanding the Impact

CVSS 10.0: What It Means

Potential Consequences

Timeline of Events

Best Practices for Security

1. Keep Dependencies Updated

2. Implement Security Headers

3. Validate and Sanitize Input

4. Implement Authentication and Authorization

5. Monitor and Log

What to Do If You Suspect a Breach

Lessons Learned