⚠️ Urgent Security Advisory: Critical Vulnerability in React Ecosystem
The CVE-2025-55182 vulnerability, officially disclosed by the React team, is a critical security flaw (CVSS 10.0) that allows unauthenticated remote code execution (RCE) on the server. Any application using React Server Components (RSC) or React Server Functions is potentially affected. You can find the official disclosure on the React blog.
This vulnerability stems from a flaw in how React decodes payloads sent to Server Function endpoints, enabling crafted HTTP requests to execute arbitrary code.
🔧 Framework-Specific Immediate Action Guide
Execute the following commands in your project root based on your tech stack.
# For Next.js users (most common)
# Update to the patched version for your major release line
npm install next@14.2.35 # for users on 13.3.x, 13.4.x, 13.5.x, 14.x
npm install next@15.0.8 # for users on 15.0.x
npm install next@15.1.12 # for users on 15.1.x
# ... see official guide for other versions
# React + Vite (using plugin-rsc)
npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
# React Router (using unstable RSC APIs)
npm install react@latest react-dom@latest react-server-dom-webpack@latest
# General React project (if using relevant packages)
npm install react@19.0.1 react-dom@19.0.1 react-server-dom-webpack@latest
Note: Always update react and react-dom together. Do not rely on hosting providers' temporary mitigations as a permanent solution.
📊 Vulnerability Impact & Key Considerations
| Item | Details |
|---|---|
| CVE ID | CVE-2025-55182 |
| CVSS Score | 10.0 (CRITICAL) |
| Affected Versions | react, react-dom, react-server-dom-* packages versions 19.0.0, 19.1.0, 19.1.1, 19.2.0 |
| Patched Versions | 19.0.1, 19.1.2, 19.2.1 (or latest for each package) |
| Affected Frameworks | Next.js, React Router, Waku, Vite RSC Plugin, Parcel RSC, etc. |
| Not Affected | Pure CSR apps without a server, bundlers without RSC support |
Limitations & Critical Notes:
- Monorepo Caution: If using React Native in a monorepo, updating
react/react-dommay cause version mismatch errors. Only update the affectedreact-server-dom-*packages in this scenario. - Canary Releases: If you are on a Next.js Canary release, downgrading to the latest stable patched version is advised.
- Deep-Dive Pending: Full technical details of the exploit vector will be released after the patch rollout is complete. Focus on updating first.
🚀 Next Steps & Best Practices for Developers
- Act Now: Audit
package.jsonfiles for all production React projects to check if you're using an affected version. - Dependency Scan: Run
npm ls react react-dom react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopackto verify installed versions. - Test & Deploy: Perform regression testing on core functionalities after updating in a development/staging environment before deploying to production.
- Continuous Learning: This incident highlights the new security responsibilities that come with meta-frameworks and deep server component integration. Deepening your understanding of server-client boundaries and serialization security is a key learning path forward.
Applying security patches without delay remains the best defense. Keep your projects secure.