Security

Critical React Server Components Vulnerability (CVE-2025-55182): Upgrade Now

By Technspire Team
December 9, 2025
3996 views

CRITICAL SECURITY ALERT: On December 3, 2025, the React team disclosed CVE-2025-55182—a maximum severity (CVSS 10.0) vulnerability in React Server Components that allows unauthenticated remote code execution. If your application uses React 19 with Server Components, you must upgrade immediately. This is not a drill.

What Is the Vulnerability?

The vulnerability exists in how React decodes payloads sent to React Server Function endpoints. An attacker can craft malicious HTTP requests that, when deserialized by React, achieve remote code execution on the server.

// Attack vector (simplified)

// Malicious request to Server Function endpoint
POST /api/server-function HTTP/1.1
Content-Type: application/x-react-server-reference

[Crafted payload that executes arbitrary code on deserialization]

This is particularly dangerous because:

  • No authentication required: Attackers don't need valid credentials
  • Remote execution: Attack can be launched from anywhere on the internet
  • Server-side impact: Compromises your server, not just the client
  • Maximum severity: CVSS score of 10.0—the highest possible rating

Important: Even if your app doesn't explicitly implement React Server Function endpoints, you may still be vulnerable if your framework supports React Server Components.

Am I Affected?

Affected Versions

The vulnerability exists in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Affected Frameworks

  • Next js (with App Router)
  • React Router (RSC mode)
  • Waku
  • @parcel/rsc
  • @vitejs/plugin-rsc
  • rwsdk (Redwood SDK)
  • Expo

You Are NOT Vulnerable If:

  • Your React code runs entirely on the client (no server)
  • You don't use a framework/bundler that supports React Server Components
  • You're still on React 18 or earlier

The Solution: Upgrade Immediately

Fixed React Versions

Upgrade to one of these patched versions:

  • 19.0.1 (for 19.0.x)
  • 19.1.2 (for 19.1.x)
  • 19.2.1 (for 19.2.x)

Next js Users

# For Next js 15.0.x
npm install next@15.0.5

# For Next js 15.1.x
npm install next@15.1.9

# For Next js 15.2.x
npm install next@15.2.6

# For Next js 15.3.x
npm install next@15.3.6

# For Next js 15.4.x
npm install next@15.4.8

# For Next js 15.5.x
npm install next@15.5.7

# For Next js 16.0.x
npm install next@16.0.7

Using Next js canary? If you're on any canary version from 14.3.0-canary.77 onwards, downgrade to stable immediately:

npm install next@14

React Router Users (RSC APIs)

# Update all relevant packages
npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest

General React Server DOM Packages

# For webpack bundler
npm install react@latest react-dom@latest react-server-dom-webpack@latest

# For parcel bundler
npm install react@latest react-dom@latest react-server-dom-parcel@latest

# For turbopack bundler
npm install react@latest react-dom@latest react-server-dom-turbopack@latest

Verification Steps

# Check your installed versions
npm list react react-dom react-server-dom-webpack next

# Expected output should show patched versions:
# react@19.0.1 (or 19.1.2, 19.2.1)
# react-server-dom-webpack@19.0.1 (or 19.1.2, 19.2.1)
# next@15.0.5 (or other patched version)

1. Clear node_modules and reinstall

rm -rf node_modules && npm install

2. Clear build cache

rm -rf .next && npm run build

3. Deploy to production

Redeploy your application with the updated dependencies

Timeline of Events

Nov 29

Vulnerability reported by Lachlan Davidson via Meta Bug Bounty program

Nov 30

Meta security confirmed the vulnerability; React team began developing fix

Dec 1

Fix created; coordination with hosting providers and affected framework teams began

Dec 3

Patches published to npm; CVE-2025-55182 publicly disclosed

Don't Rely on Hosting Provider Mitigations

"Do not rely solely on temporary hosting provider mitigations. Upgrade your dependencies immediately."

Provider mitigations are a temporary band-aid. They may not catch all attack variations. The only reliable fix is upgrading to the patched React versions.

Security Checklist for React Server Components

  • Keep React and framework dependencies up to date
  • Subscribe to security advisories for React, Next js, and your framework
  • Use npm audit in CI/CD pipelines
  • Implement server-side rate limiting on API routes
  • Validate and sanitize all inputs, even in Server Actions

Need Help Securing Your React Application?

Technspire provides security audits and remediation services for React and Next js applications. We can help you assess your exposure and upgrade safely.

Contact Us for a Security Assessment

Summary: What You Need to Do

  1. Check if you're affected: Using React 19 with Server Components? You're affected.
  2. Upgrade immediately: React 19.0.1, 19.1.2, or 19.2.1
  3. Verify the upgrade: Run npm list to confirm
  4. Deploy to production: Don't just update locally—push to production ASAP

CVE-2025-55182 is a wake-up call for the React ecosystem. As Server Components become the default pattern, security considerations become more critical than ever. Stay updated, stay patched, and stay vigilant.

Ready to Transform Your Business?

Let's discuss how we can help you implement these solutions and achieve your goals with AI, cloud, and modern development practices.

No commitment required • Expert guidance • Tailored solutions

Tags

React
Security
CVE-2025-55182
React Server Components
Next js
Remote Code Execution
Vulnerability
React 19
Server Components
RSC
Web Security
JavaScript
← Back to all posts