Critical Security Vulnerability in React Server Components —
What You Need to Know

React Server Components Security Vulnerability
Category:  Web development
Date:  December 2025

On December 3, 2025, the React team published a stark warning: a critical, unauthenticated remote code execution (RCE) vulnerability has been discovered in React’s Server-Components implementation. The flaw, disclosed under CVE-2025-55182, stems from a bug in how React decodes payloads sent to “Server Function” endpoints and has been assigned a maximum severity rating (CVSS 10.0).

🔍 What Happened

The vulnerability affects how React decodes payloads sent to “Server Function” endpoints. Alarmingly, even if your application does not actively use “Server Functions,” it may still be vulnerable — any use of React Server Components could expose you. This flaw allows an unauthenticated attacker to send a specially crafted HTTP request to a server-component endpoint and trigger execution of arbitrary code on your server.

🚨 What’s at Risk

The vulnerability could lead to full server compromise: unauthorized data access, leakage of secrets or environment variables, data exfiltration, deployment of backdoors or persistence mechanisms — depending on server configuration. Because this affects default configurations of many frameworks and bundlers, the vulnerability could be widespread.

Affected packages include:

  • react-server-dom-webpack (versions 19.0 → 19.2.0)
  • react-server-dom-parcel
  • react-server-dom-turbopack

Affected frameworks/bundlers include:

  • Next.js (with App-Router)
  • React Router
  • Waku
  • Parcel RSC
  • Vite’s RSC plugin
  • Redwood SDK
  • Expo — and possibly others relying on React Server Components
✅ What Was Done (And What You Should Do)

The React team has released patched versions: react-server-dom-* 19.0.1, 19.1.2, 19.2.1. For Next.js users, upgrade to one of the fixed versions (e.g. 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7). If you are on a problematic canary release (≥ 14.3.0–canary.77), downgrade to the latest stable 14.x release.

If your app does not use a server (pure client-side React), or does not use a bundler/framework/plugin supporting Server Components / Server Functions — then you’re likely unaffected. Though some hosting providers and CDNs have issued temporary mitigations or WAF (Web Application Firewall) rules, the project owners strongly recommend upgrading immediately — don’t rely solely on mitigations.

🧑‍💻 What This Means for Developers & Teams

This vulnerability is a stark reminder that framework-level flaws — not just application code — can jeopardize your entire infrastructure. Even if you follow best practices for input validation and authentication, a flaw deep in React’s Server Components implementation could bypass all of that.

If you maintain or contribute to React-based applications — particularly those using Next.js or other SSR/Server-Component features — treat this as a top priority security update. Beyond patching: review your deployment practices. Do you have continuous dependency audits? Do you monitor and patch third-party libraries routinely? Do you isolate server-side logic behind hardened boundaries? This incident highlights how essential those practices are.

📌 Final Thought

The disclosure of CVE-2025-55182 shows that even widely trusted, battle-tested frameworks like React can harbor critical vulnerabilities — especially with newer abstractions like Server Components. The speed with which patches have been released is encouraging, but the responsibility now lies with developers and organizations: update now, audit your dependencies, and review your security posture — before threat actors do.