Welcome to Haposoft Blog

On December 3, 2025, the React team revealed a critical Remote Code Execution vulnerability in React Server Components (RSC). It affects several RSC packages and some of the most widely used React frameworks, including Next.js. A fix is already out, so the urgent step now is simply checking whether your project uses these packages—and updating to the patched versions if it does. Overview of the Vulnerability A newly reported flaw allows unauthenticated Remote Code Execution (RCE) on servers running React Server Components. Type: Unauthenticated Remote Code Execution CVE: CVE-2025-55182 (NIST , GitHub Advisory Database) Severity: CVSS 10.0 (Maximum severity) This means an attacker could execute arbitrary code on the server without any form of authentication, giving them full control of the affected environment. The issue is caused by a flaw in how React decodes payloads sent to React Server Function endpoints. A maliciously crafted HTTP request can trigger unsafe deserialization, leading to remote code execution. React will publish additional technical details once the patch rollout is fully completed. Scope of Impact Any application that supports React Server Components may be exposed, even if it never defines any Server Function endpoints. The vulnerability exists in the underlying RSC support layer used by multiple frameworks and bundlers. Your application is not vulnerable if: Your React code does not run on a server, or Your application does not use a framework, bundler, or plugin that supports React Server Components. Traditional client-only React applications are unaffected. Affected Versions and Components The vulnerability is tied to specific versions of the React Server Components packages and to the frameworks that depend on them. Identifying whether your project uses any of these versions is the first step in determining your exposure. Vulnerable Packages The issue affects the following packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0: react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack Affected Frameworks and Bundlers Several frameworks that rely on these packages are also impacted, including: Next.js React Router (when using unstable RSC APIs) Waku @parcel/rsc @vitejs/plugin-rsc Redwood SDK Security Fix and Recommended Actions The React team has released patched versions, and major frameworks have issued corresponding updates. Applying these fixes promptly is the only reliable way to remove the vulnerability from affected projects. Patched Versions The React team has released fixed versions: 19.0.1 19.1.2 19.2.1 (or any version newer than these) Upgrading to a patched release is mandatory to eliminate the vulnerability. Framework Updates Framework maintainers have also published security updates. For example, Next.js users must upgrade to one of the following patched versions: next@15.0.5 next@15.1.9 next@15.2.6 next@15.3.6 next@15.4.8 next@15.5.7 next@16.0.7 Other ecosystems (React Router, Redwood, Vite plugin, Parcel, Waku, etc.) also require upgrading to their latest patched versions. What Development Teams Should Do Now We recommend the following immediate steps: Audit all projects to confirm whether React Server Components or related frameworks are in use. Check package versions for the affected libraries listed above. Upgrade to the patched versions immediately if your application falls within the impacted scope. Review deployment environments for any unusual activity (optional but advisable for security). Document and report the findings to your internal security or project stakeholders. Conclusion This vulnerability (CVE-2025-55182) is one of the most severe vulnerabilities ever disclosed within the React ecosystem, and it may impact a wide range of modern React-based applications. To maintain security and prevent potential exploitation, all teams should: Review their applications, Identify affected components, and Apply the necessary upgrades without delay. If you need a security audit or patch support within your React-based web development projects, Haposoft is ready to step in.