Critical Vulnerabilities in React and Next.js
Below∅Day Critical RCE in React Server Components (CVE-2025-55182)
Critical RCE in React Server Components [CVE-2025-55182]: What to Patch, How to Verify, and How to Reduce Risk Today🚨
TL;DR
A critical vulnerability [CVE-2025-55182] impacts the React 19 ecosystem when using
React Server Components (RSC) / “Server Functions”. Under vulnerable configurations it can lead to
unauthenticated remote code execution (RCE). Patch immediately and verify your dependency tree—not
just your top-level React version.
What happened?
On December 3, 2025, the React team published an urgent security advisory describing a vulnerability in the
React Server Components implementation. The key takeaway: this is not “just a React version check.”
The risk centers on specific react-server-dom-* packages that may be pulled in transitively by
frameworks and bundlers.
What’s affected [and what’s not]?
This issue is in server-side React Server Components / “Server Functions” payload handling. Typical client-only
SPA builds that never run React on the server are generally not in scope. Teams should prioritize any applications
that use RSC-capable frameworks, bundlers, or plugins (for example: Next.js App Router and other RSC integrations).
Affected packages and patched versions:
The vulnerability is tied to specific React Server Components implementation packages. You should audit your repos and CI builds for these packages and upgrade anything matching the vulnerable versions.
react-server-dom-webpack
Vulnerable:
19.0.0,19.1.0,19.1.1,19.2.0Fixed:
19.0.1,19.1.2,19.2.1
react-server-dom-parcel
Vulnerable:
19.0.0,19.1.0,19.1.1,19.2.0Fixed:
19.0.1,19.1.2,19.2.1
react-server-dom-turbopack
Vulnerable:
19.0.0,19.1.0,19.1.1,19.2.0Fixed:
19.0.1,19.1.2,19.2.1
Key detail: You must check the versions of react-server-dom-* packages,
not only react and react-dom. These packages can appear as transitive dependencies.
How to update the components [fast + safe]
The goal is to ensure no vulnerable versions of react-server-dom-* exist anywhere in your dependency tree.
In most apps, you’ll upgrade your framework (ex: Next.js) and then verify the installed tree.
1) Patch the React Server Components packages
In your project root, run one of the following depending on your package manager:
npm
npm install react-server-dom-webpack@19.2.1 react-server-dom-parcel@19.2.1 react-server-dom-turbopack@19.2.1
yarn (classic/berry)
yarn add react-server-dom-webpack@19.2.1 react-server-dom-parcel@19.2.1 react-serverdom-turbopack@19.2.1
pnpm
pnpm add react-server-dom-webpack@19.2.1 react-server-dom-parcel@19.2.1 react-server-dom-turbopack@19.2.1
If your framework manages these packages under the hood, direct pinning may not “stick” (or may be overridden).
In that case, treat the framework upgrade as the real fix and use the verification steps below.
2) Upgrade your framework [recommended]
For Next.js (or any RSC-enabled framework), upgrade to the latest patched release for your major/minor, then rebuild and redeploy.
Example (npm): npm install next@latest
Example (yarn): yarn add next@latest
Example (pnpm): pnpm add next@latest
3) Verify the installed dependency tree
After upgrading, confirm that none of the vulnerable versions are present in node_modules.
Check for vulnerable versions:
npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack --all
Also check for duplicates (if you have multiple versions installed):
npm ls react-server-dom-webpack --all
npm ls react-server-dom-parcel --all
npm ls react-server-dom-turbopack --all
4) If you find a vulnerable transitive dependency
First: upgrade the framework/bundler/plugin that pulled it in [preferred].
Second: use an override/resolution to force a fixed version [works well as a temporary guardrail].
npm (package.json overrides)
{
"overrides": {
"react-server-dom-webpack": "19.2.1",
"react-server-dom-parcel": "19.2.1",
"react-server-dom-turbopack": "19.2.1"
}
}
yarn (resolutions)
{
"resolutions": {
"react-server-dom-webpack": "19.2.1",
"react-server-dom-parcel": "19.2.1",
"react-server-dom-turbopack": "19.2.1"
}
}
pnpm (overrides)
{
"pnpm": {
"overrides": {
"react-server-dom-webpack": "19.2.1",
"react-server-dom-parcel": "19.2.1",
"react-server-dom-turbopack": "19.2.1"
}
}
}
Next.js and ecosystem impact
Wiz’s write-up highlights that the React RSC issue can translate into real-world risk in popular frameworks that
implement the “Flight” protocol, including Next.js deployments. Next.js published an advisory describing affected
lines and patched releases. If you run Next.js with App Router (or any RSC enabled configuration), treat this as
a priority patch regardless of whether you believe the endpoint is “public.”
Why this is high risk
Impact: Unauthenticated remote code execution (worst case) in the context of your server process.
Transitive exposure: Even if you didn’t intentionally enable “server functions,” your stack might.
Exploit path can look like normal traffic: Attack payloads may be delivered as specially crafted requests to RSC endpoints.
Immediate actions to take
Patch React RSC packages: upgrade any installed instances to fixed versions listed above.
Patch your framework: update Next.js (or your RSC framework) to an advisory-approved release.
Defense-in-depth: review WAF/edge protections, monitoring, least privilege, and rollback plans.
How to verify your exposure quickly
The fastest checks are:
Scan repos for lockfiles and identify installed versions of
react-server-dom-*.Validate the live dependency tree with
npm lsConfirm your framework version (especially Next.js App Router) matches patched advisory releases.
