10 min read
The React team has recently disclosed a critical security vulnerability with the highest possible CVSS score of 10.0 affecting the data processing mechanism of React Server Components (RSC). Identified as CVE-2025-55182, this flaw allows attackers to execute arbitrary code remotely on the server without any form of authentication, constituting an unauthenticated remote code execution (RCE) risk.
All applications that rely on React Server Components, including widely used frameworks such as Next.js, are strongly advised to upgrade immediately in order to prevent potential exploitation and reduce the risk of compromise.
Remote code execution via the server function mechanismLink to heading
This security vulnerability originates from the way React handles the deserialization of data sent to Server Functions, a core feature of React Server Components. The issue arises during the process in which incoming data is decoded and interpreted on the server side.
- Root cause: The weakness stems from unsafe handling of payloads originating from HTTP requests. React converts these requests into server-side function calls, and attackers can craft malicious HTTP requests to inject harmful code into this execution flow.
- Exploitation: Without requiring any authentication, an attacker can send requests to any Server Function endpoint. When React deserializes the malicious payload, the embedded code is executed directly on the server.
- Wide attack surface: Even applications that do not explicitly define or use Server Functions may still be vulnerable if they support or depend on packages related to React Server Components.
- Severity level (CVSS 10.0): The maximum CVSS score confirms this as an extremely dangerous vulnerability, as it enables remote code execution without any credentials, granting attackers full control over affected servers.
Affected versions and security patchesLink to heading
This vulnerability impacts the core packages responsible for handling and transmitting data within React Server Components (RSC).
|
Affected packages |
Affected versions |
Patched versions |
|
react-server-dom-webpack |
19.0.0, 19.1.0, 19.1.1, 19.2.0 |
19.0.1, 19.1.2, 19.2.1 |
|
react-server-dom-parcel |
19.0.0, 19.1.0, 19.1.1, 19.2.0 |
19.0.1, 19.1.2, 19.2.1 |
|
react-server-dom-turbopack |
19.0.0, 19.1.0, 19.1.1, 19.2.0 |
19.0.1, 19.1.2, 19.2.1 |
Important notice: The vulnerability also extends to major frameworks that rely on React Server Components, most notably Next.js, which is associated with the related vulnerability CVE-2025-66478. Next.js developers must ensure they upgrade to fixed versions, such as Next.js 16.0.7 or 15.5.7, to fully mitigate the security risk.
Urgent actions for developersLink to heading
To protect applications from this threat, the only effective and immediate action is to upgrade without delay.
Assessing exposure conditionsLink to heading
Your application is considered affected if it meets any of the following criteria:
- It uses a framework that supports React Server Components, such as Next.js App Router, Waku, or RSC-related plugins for Vite or Parcel.
- It relies on versions of the react-server-dom-* packages that have been identified as vulnerable.
Note: If your React application runs entirely on the client side using Client-Side Rendering and does not implement Server Components, it is not impacted by this issue.
Upgrade InstructionsLink to heading
Developers should update all relevant React and React DOM packages to the patched versions as soon as possible:
Upgrade to the latest fixed release in the 19.2 branch:
npm install react@19.2.1 react-dom@19.2.1
or alternatively:
yarn upgrade react@19.2.1 react-dom@19.2.1
ConclusionLink to heading
The CVSS 10.0 vulnerability in React Server Components is not a routine technical flaw but a serious cybersecurity threat to the entire React ecosystem. Receiving the maximum severity score highlights the presence of an extremely dangerous attack vector that effectively acts as a backdoor, allowing attackers to take control of servers without any authentication barriers.
While the React team’s rapid response in releasing the 19.2.1 patch is commendable, the ultimate responsibility lies with developers. Delaying upgrades is not a viable option. This patch must be treated as a top priority to protect user data and maintain system stability.
Verify your current versions, upgrade to the latest patched releases, and redeploy your application promptly.
>>> Are you looking for a security solution built specifically for WordPress? W7SFW helps block threats proactively and effectively.