A rare and high-impact security event
The React Team does not often publish security warnings of this magnitude. In fact, critical vulnerability announcements in the React ecosystem are rare, which makes this disclosure especially important for developers, teams, and anyone working with React Server Components. When a CVSS 10.0 vulnerability appears in such a widely used framework—and when the announcement comes directly from the React Team—it signals an exceptional situation requiring immediate attention. This is not routine maintenance or a minor patch; it is a high-severity issue that can compromise production systems if left unpatched.
On December 3, 2025, the React Team publicly disclosed an unauthenticated remote code execution vulnerability (CVE-2025-55182) affecting React Server Components (RSC). The flaw allows attackers to send malicious HTTP payloads to Server Function endpoints, which React would then improperly deserialize, enabling remote execution of code on the server.
Who is affected by this vulnerability?
This vulnerability impacts any application using React Server Components, even if the app does not explicitly use Server Functions. Several ecosystem tools include or depend on the vulnerable packages, affecting a wide range of frameworks and bundlers.
| Affected packages | Versions |
|---|---|
| react-server-dom-webpack | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-parcel | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| react-server-dom-turbopack | 19.0, 19.1.0, 19.1.1, 19.2.0 |
| Affected frameworks & bundlers | Status |
|---|---|
| Next.js | Requires immediate upgrade |
| React Router (RSC APIs) | Requires dependency upgrades |
| Waku | Requires latest release |
| @parcel/rsc | Requires updated versions |
| @vitejs/plugin-rsc | Requires latest plugin |
| rwsdk | Affected; update required |
Patched versions now available
The React Team released fixed versions within just a few days of the initial report. Upgrading is the only reliable mitigation, even if your hosting provider has applied temporary protections. You should update immediately to one of the patched versions.
| Fixed versions | Status |
|---|---|
| 19.0.1 | Safe |
| 19.1.2 | Safe |
| 19.2.1 | Safe |
Why this vulnerability matters
React Server Components introduced new possibilities for server-driven UI, but they also expanded the attack surface. The vulnerability exploited a flaw in the decoding layer React uses to translate HTTP requests into server function calls. Because this process happens before authentication checks, attackers could deliver arbitrary payloads to vulnerable endpoints.
Although the React Team has not yet published deep technical details, they will do so once the fix is fully deployed and the ecosystem is updated. For now, the priority is ensuring every affected project upgrades immediately.
What developers should do right now
You should verify your React, React DOM, and RSC-related dependencies to ensure none of the vulnerable versions are present. You should also update any RSC-compatible frameworks you use. Below is a quick overview of recommended upgrade paths for each major tool.
| Framework / tool | Upgrade action |
|---|---|
| Next.js | Install latest patched version in your release line |
| React Router (unstable RSC APIs) | Update React, React DOM, and RSC packages |
| Expo | Update React and react-server-dom-webpack |
| Redwood SDK | Ensure rwsdk ≥ 1.0.0-alpha.0 and update RSC packages |
| Waku | Update React, React DOM, RSC packages, and Waku itself |
| @vitejs/plugin-rsc | Install latest plugin release |
| react-server-dom-parcel / turbopack / webpack | Update all RSC packages to latest versions |
How the vulnerability was handled
The response timeline shows rapid collaboration between Meta’s security team, the React Team, hosting providers, and open-source maintainers.
| Date | Event |
|---|---|
| Nov 29 | Vulnerability reported through Meta Bug Bounty |
| Nov 30 | Meta security confirms issue and coordinates fix |
| Dec 1 | Fix created; ecosystem partners begin mitigation |
| Dec 3 | Patched versions released; CVE publicly disclosed |
This coordinated rollout helped reduce exposure and ensured that frameworks depending on RSC could deliver patched versions quickly.
Conclusion: update immediately to stay secure
This vulnerability is both rare and severe, and it highlights the importance of keeping React ecosystems up to date—especially when working with server-side features like React Server Components. If your app, framework, or bundler includes any affected package, you should upgrade immediately to a patched version. With fixes now available across all major RSC-enabled tools, the safest path is simply to update as soon as possible.
