Merto Software Solutions
Merto Software Solutions Logo
HomeServicesCase StudiesBlogs & News
Get Free Consultation

Ready to Work, Let’s Chat

Our team of experts is ready to collaborate with you every step of the way, from initial consultation to implementation.

Contact Us Today

At Merto Software Solutions, we specialise in creating custom software, mobile apps, and websites tailored to your business needs. With expertise in web development, digital marketing, and more, we help transform your ideas into successful solutions. Let's build something amazing together.

Quick Links

  • Services
  • Case Studies
  • About Merto
  • Blog/News
  • Contact us

Company

  • Industries We Serve
  • Solutions
  • How We Work
  • Careers

Our Policies

  • Privacy Policy
  • Terms & Conditions
  • Cookies Policy
Amazon Partner BadgeGDPR Regulation Badge
  • Instagram
  • LinkedIn
  • Facebook
  • WhatsApp
  • Links
  • Sitemap

© Copyright 2025 | Design & Developed By Merto Software Solutions

04/12/2025
Merto Team

Critical Security Vulnerability in React Server Components

Back to Blogs

Recent Posts

  • Nvidia's Earnings - AI Bubble or Justified Growth?
    Nvidia's Earnings - AI Bubble or Justified Growth?
  • What Is API Integration and Why It Matters for Business
What Is API Integration and Why It Matters for Business
  • Practical AI for Business | Achieving Real, Measurable ROI
    Practical AI for Business | Achieving Real, Measurable ROI
  • NS&I Premium Bond Winners October 2025 | Full Draw Results
    NS&I Premium Bond Winners October 2025 | Full Draw Results
  • Bespoke Software - The Smart Choice for UK Businesses
    Bespoke Software - The Smart Choice for UK Businesses
  • Amazon SP-API vs MWS - The Ultimate 2025 Seller's Guide
    Amazon SP-API vs MWS - The Ultimate 2025 Seller's Guide
  • How AI & ML Transform Custom Software Solutions
    How AI & ML Transform Custom Software Solutions
  • BT & EE Network Outage - What Happened & What's Next?
    BT & EE Network Outage - What Happened & What's Next?
  • Why Businesses Are Investing in Custom Software Development
    Why Businesses Are Investing in Custom Software Development
  • The Future of Software Development - Trends to Watch in 2025
    The Future of Software Development - Trends to Watch in 2025
  • What Is API Integration? Why It Matters in 2025
    What Is API Integration? Why It Matters in 2025
  • What is an AI Agent? A Beginner-Friendly Breakdown
    What is an AI Agent? A Beginner-Friendly Breakdown
  • Why a Custom Website Beats Templates Every Time
    Why a Custom Website Beats Templates Every Time
  • Minimalist Web Design Dominates in 2025
    Minimalist Web Design Dominates in 2025
  • Low-Code/No-Code Platforms Transforming UK Business
    Low-Code/No-Code Platforms Transforming UK Business
  • Web Development Solutions for UK Businesses
    Web Development Solutions for UK Businesses
  • Why Small Businesses in UK Should Invest in a Custom Website
    Why Small Businesses in UK Should Invest in a Custom Website

    • Categories

    • security data protection
    • news updates
    • business Growth Automation
    • tech Innovation
    • custom software solutions
    • amazon automation
    • web design development

    Critical Security Vulnerability in React Server Components (CVE-2025-55182)

    Published: 03 December 2025
    Updated: 03 December 2025
    Reported by: Lachlan Davidson
    Severity: CVSS 10.0 (Critical)

    A critical security vulnerability has been disclosed in React Server Components, affecting a wide range of applications built with React and Next.js. This issue allows the possibility of unauthenticated remote code execution, making it one of the most severe vulnerabilities ever published within the React ecosystem.

    This blog provides a clear overview of what happened, who is affected, and the actions development teams should take immediately.

    What happened

    On 29 November 2025, security researcher Lachlan Davidson reported a flaw in how React deserialises payloads handled by React Server Function endpoints. This flaw allows an attacker to craft a malicious HTTP request that, when processed by a vulnerable server, can lead to remote code execution.

    The vulnerability affects applications even if they do not explicitly use React Server Functions. If an application supports React Server Components (RSC) it may still be vulnerable.

    On 03 December 2025, the issue was publicly disclosed as CVE-2025-55182 after fixes were released across the ecosystem.

    Affected React versions

    The vulnerability is present in the following versions of the React Server Components packages:

    • 19.0
    • 19.1.0
    • 19.1.1
    • 19.2.0

    These packages include:

    • react-server-dom-webpack
    • react-server-dom-parcel
    • react-server-dom-turbopack

    Patched Versions

    A fix has been shipped in:

    • 19.0.1
    • 19.1.2
    • 19.2.1

    Developers should upgrade immediately to one of the patched versions.

    Impact on Next.js users

    Next.js is one of the largest adopters of React Server Components. As a result, most modern Next.js applications fall within the affected category.

    The React Team and Vercel have released patches for all supported release lines.

    Required Next.js upgrades

    • npm install next@15.0.5
    • npm install next@15.1.9
    • npm install next@15.2.6
    • npm install next@15.3.6
    • npm install next@15.4.8
    • npm install next@15.5.7
    • npm install next@16.0.7

    If you are running Next.js 14.3.0-canary.77 or later canary versions, downgrade to the latest stable 14.x release.

    Other frameworks and bundlers affected

    Several tools that support React Server Components may also be affected. These include:

    • React Router (unstable RSC APIs)
    • Waku
    • Redwood SDK
    • Parcel RSC (@parcel/rsc)
    • Vite RSC plugin (@vitejs/plugin-rsc)
    • Turbopack RSC packages

    Each project has posted its own upgrade instructions, but the general rule is to update React, React DOM, and the relevant RSC package to the latest available version.

    Who is not affected

    You are not affected if:

    • Your React application does not use a server.
    • Your application does not use any framework or bundler that supports React Server Components.
    • You run only client side React without RSC features.

    Classic client only React apps do not need to take action.

    Timeline of the disclosure

    • 29 November: Vulnerability reported via Meta Bug Bounty
    • 30 November: Meta security researchers confirmed the issue
    • 01 December: Fix prepared and shared with hosting providers and framework maintainers
    • 03 December: Fix released publicly and CVE-2025-55182 published

    Hosting provider mitigations

    While some hosting providers were able to apply temporary mitigations, the React Team stresses that these should not be relied upon. Developers must apply the official updates to remove the vulnerability completely.

    What you should do now

    If you maintain any React or Next.js application, you should:

    1. Check whether your versions of React or Next.js fall within the affected range.
    2. Upgrade immediately to the patched versions.
    3. Review logs for any unusual activity during the vulnerable window.
    4. Rebuild and redeploy your application after upgrading.

    If you use a third party agency or development team, confirm with them that your application has been reviewed and patched.

    Official References

    CVE record:
    https://www.cve.org/CVERecord?id=CVE-2025-55182

    Next.js advisory:
    https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp

    React Team announcement:
    https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

    Final thoughts

    Security vulnerabilities of this severity are rare, especially with a CVSS score of 10.0. The transparency and coordinated response from the React ecosystem have helped ensure that fixes were ready as soon as the issue became public.

    If you are unsure whether your systems are affected or would like support reviewing your setup, feel free to reach out for guidance. https://mertosolutions.com/contact-us

    openGraph-technology-consulting.png