Critical RCE Vulnerability in React Server Components (CVE‑2025‑55182) – What You Must Patch Now
React’s Server Components contain a critical remote code execution flaw (CVE‑2025‑55182) with a CVSS score of 10.0, affecting versions 19.0.0‑19.2.0 and frameworks like Next.js, and the advisory provides detailed impact analysis, mitigation steps, and upgrade commands for affected stacks.
Background
On December 3, 2025, the React team issued a security advisory announcing a severe remote code execution (RCE) vulnerability in React Server Components (RSC). The issue is tracked as CVE‑2025‑55182 and has a CVSS rating of 10.0, indicating a critical, unauthenticated exploit.
Vulnerability Details
The flaw is a deserialization vulnerability in the way React Server Functions decode incoming payloads. An attacker can craft a malicious HTTP request that triggers unsafe deserialization on the server, leading to arbitrary code execution. Even applications that do not explicitly use Server Functions are at risk if the environment enables React Server Components.
Affected Packages and Frameworks
The vulnerability impacts the following npm packages in the listed versions:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopackFrameworks and tools that depend on these packages are likely affected, including but not limited to:
Next.js (high‑risk)
React Router
Waku
Expo
Redwood SDK
@vitejs/plugin-rsc
Mitigation and Upgrade Instructions
The React team released patched versions 19.0.1, 19.1.2, and 19.2.1. Framework maintainers have also published updates. Apply the appropriate upgrade for your stack:
1. Next.js Users
Upgrade to the latest patch of your major version:
Next.js 15.x → 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7
Next.js 16.x → 16.0.7
If you are on a canary release such as 14.3.0‑canary.77 or newer, downgrade to the latest stable 14.x version:
npm install next@142. React Router Users
Update the core React packages and the server‑dom implementation:
npm install react@latest react-dom@latest react-server-dom-webpack@latestIf you use Parcel or Vite plugins, update them as well:
npm install react-server-dom-parcel@latest @vitejs/plugin-rsc@latest3. Waku Users
npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest4. Expo Users
npm install react@latest react-dom@latest react-server-dom-webpack@latest5. Redwood SDK Users
Ensure rwsdk is at least >=1.0.0‑alpha.0 and upgrade to the latest beta:
npm install rwsdk@latestnpm install react@latest react-dom@latest react-server-dom-webpack@latestFAQ
Q: Does a pure client‑side SPA get affected? A: No. If your React code never runs on a server and your build tool does not enable Server Components, you are safe.
Q: Do cloud providers automatically protect us? A: Meta and the React team have coordinated temporary mitigations with some hosting providers, but you must not rely on them; upgrading the dependencies is mandatory.
Timeline
Nov 29 2025 – Security researcher Lachlan Davidson reported the issue.
Nov 30 2025 – Meta’s security team confirmed the vulnerability and began remediation.
Dec 03 2025 – Patches published to npm and CVE details disclosed.
References
React official announcement: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
CVE‑2025‑55182 details
IT Services Circle
Delivering cutting-edge internet insights and practical learning resources. We're a passionate and principled IT media platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.