The maintainers of React have fixed a critical security flaw in React Server Components (RSC) that allows unauthenticated remote code execution and can be exploited quit easily. All developers using React Server Components are urged to upgrade immediately, and the advisory says that some apps that don’t include React Server Function endpoints could be vulnerable, as well.

The vulnerability, tracked as CVE-2025-55182, was reported on Nov. 29 and stems from a flaw in how React decodes payloads sent to React Server Function endpoints. Crucially, an application does not need to implement any React Server Function endpoints to be vulnerable; simply supporting React Server Components makes it susceptible to attack. An unauthenticated attacker can craft a malicious HTTP request that, when deserialized by React on the server, achieves remote code execution.

“React Server Functions allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client,” the advisory says.

“An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.”

There is a separate CVE (CVE-2025-66478) assigned to the same vulnerability in Next.js, which also has been upgraded to address the issue. 

“In our experimentation, exploitation of this vulnerability had high fidelity, with a near 100% success rate and can be leveraged to a full remote code execution. The attack vector is unauthenticated and remote, requiring only a specially crafted HTTP request to the target server. It affects the default configuration of popular frameworks,” researchers at Wiz said in their analysis of the flaw. 

A fix has been introduced and developers should upgrade the following packages to the patched versions immediately:

  • Fixed versions: 19.0.1, 19.1.2, and 19.2.1.
  • Vulnerable packages (versions 19.0, 19.1.0, 19.1.1, and 19.2.0):
    • react-server-dom-webpack
    • react-server-dom-parcel
    • react-server-dom-turbopack

Affected Frameworks and Bundlers

Due to dependencies or included packages, several popular React frameworks and bundlers are affected, including:

  • next
  • react-router
  • waku
  • @parcel/rsc
  • @vitejs/plugin-rsc
  • rwsdk

Framework and bundler maintainers are expected to release specific upgrade instructions soon. This vulnerability only affects applications that use a server and a framework/bundler that supports React Server Components. If your app is purely client-side and does not use a server or an RSC-supporting tool, it is not affected.

  • Recent Posts

  • Recent Comments

    No comments to show.