Remote Code Execution Vulnerability in React Server Components

!!! Critical Security Vulnerability in React Server Components !!!

BIG THANKS FOR THE REACT TEAM FOR THE INCREDIBLE FAST REACTION !!!

UPDATE NOW !

On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Immediate Action Required

A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

Timeline

• November 29th: Lachlan Davidson reported the security vulnerability via Meta Bug Bounty.
• November 30th: Meta security researchers confirmed and began working with the React team on a fix.
• December 1st: A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
• December 3rd: The fix was published to npm and the publicly disclosed as CVE-2025-55182.

React and NextJS update instructions on this page

Next.js, React router, react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack