Vulnerability in React Server Components and Next.js

An unauthenticated attacker could send a malicious HTTP request to any Server Function endpoint, which, when processed by React, could lead to remote code execution on the server. However, even if a Server Function endpoint is not implemented, exploitation could still be possible via React Server Components. This flaw could allow attackers to remotely execute arbitrary code, severely compromising the integrity of affected applications.

‍

‍

React has released security updates to address the vulnerability. It is advised to install these updates as soon as possible. See the React instructions for more information.

If you are using the packages mentioned above, upgrade immediately. This vulnerability has been fixed in versions 19.0.1, 19.1.2, and 19.2.1. If your application's React code does not use a server, your application is not vulnerable to this vulnerability. Also, if your application does not use a framework, bundler, or bundler plugin that supports React Server Components, your application is not affected.

The following React frameworks and bundlers are affected:

• Next
• ReactRouter
• Waku
• @parcel/rsc
• @vitejs/plugin-rsc
• rwsdk

The vulnerability also affects Next.js with App Router. The vulnerability exists in Next.js versions 14.3.0-canary, 15.x, and 16.x and is fixed in the following patched versions: 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7.

‍

• https://advisories.ncsc.nl/2025/ncsc-2025-0380.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-55182
• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
• https://react2shell.com/
• https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/

‍

‍