Important Security Update for Next.js 15, 16 & react SSR | Merto Software Solutions
Published
Author Merto Team

Critical Security Vulnerability in React Server Components

linkedin img Z4783.png

Critical Security Vulnerability in React Server Components (CVE-2025-55182)

Published: 03 December 2025
Updated: 03 December 2025
Reported by: Lachlan Davidson
Severity: CVSS 10.0 (Critical)

A critical security vulnerability has been disclosed in React Server Components, affecting a wide range of applications built with React and Next.js. This issue allows the possibility of unauthenticated remote code execution, making it one of the most severe vulnerabilities ever published within the React ecosystem.

This blog provides a clear overview of what happened, who is affected, and the actions development teams should take immediately.

What happened

On 29 November 2025, security researcher Lachlan Davidson reported a flaw in how React deserialises payloads handled by React Server Function endpoints. This flaw allows an attacker to craft a malicious HTTP request that, when processed by a vulnerable server, can lead to remote code execution.

The vulnerability affects applications even if they do not explicitly use React Server Functions. If an application supports React Server Components (RSC) it may still be vulnerable.

On 03 December 2025, the issue was publicly disclosed as CVE-2025-55182 after fixes were released across the ecosystem.

Affected React versions

The vulnerability is present in the following versions of the React Server Components packages:

  • 19.0  
  • 19.1.0  
  • 19.1.1  
  • 19.2.0

These packages include:

  • react-server-dom-webpack  
  • react-server-dom-parcel  
  • react-server-dom-turbopack

Patched Versions

A fix has been shipped in:

  • 19.0.1  
  • 19.1.2  
  • 19.2.1

Developers should upgrade immediately to one of the patched versions.

Impact on Next.js users

Next.js is one of the largest adopters of React Server Components. As a result, most modern Next.js applications fall within the affected category.

The React Team and Vercel have released patches for all supported release lines.

Required Next.js upgrades

  • npm install next@15.0.5
  • npm install next@15.1.9
  • npm install next@15.2.6
  • npm install next@15.3.6
  • npm install next@15.4.8
  • npm install next@15.5.7
  • npm install next@16.0.7

If you are running Next.js 14.3.0-canary.77 or later canary versions, downgrade to the latest stable 14.x release.

Other frameworks and bundlers affected

Several tools that support React Server Components may also be affected. These include:

  • React Router (unstable RSC APIs)  
  • Waku  
  • Redwood SDK  
  • Parcel RSC (@parcel/rsc)  
  • Vite RSC plugin (@vitejs/plugin-rsc)  
  • Turbopack RSC packages

Each project has posted its own upgrade instructions, but the general rule is to update React, React DOM, and the relevant RSC package to the latest available version.

Who is not affected

You are not affected if:

  • Your React application does not use a server.  
  • Your application does not use any framework or bundler that supports React Server Components.  
  • You run only client side React without RSC features.

Classic client only React apps do not need to take action.

Timeline of the disclosure

  • 29 November: Vulnerability reported via Meta Bug Bounty  
  • 30 November: Meta security researchers confirmed the issue  
  • 01 December: Fix prepared and shared with hosting providers and framework maintainers  
  • 03 December: Fix released publicly and CVE-2025-55182 published

Hosting provider mitigations

While some hosting providers were able to apply temporary mitigations, the React Team stresses that these should not be relied upon. Developers must apply the official updates to remove the vulnerability completely.

What you should do now

If you maintain any React or Next.js application, you should:

  1. Check whether your versions of React or Next.js fall within the affected range.  
  2. Upgrade immediately to the patched versions.  
  3. Review logs for any unusual activity during the vulnerable window.  
  4. Rebuild and redeploy your application after upgrading.

If you use a third party agency or development team, confirm with them that your application has been reviewed and patched.

Official References

CVE record:
https://www.cve.org/CVERecord?id=CVE-2025-55182  

Next.js advisory:
https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp  

React Team announcement:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components  

Final thoughts

Security vulnerabilities of this severity are rare, especially with a CVSS score of 10.0. The transparency and coordinated response from the React ecosystem have helped ensure that fixes were ready as soon as the issue became public.

If you are unsure whether your systems are affected or would like support reviewing your setup, feel free to reach out for guidance. https://mertosolutions.com/contact-us

openGraph-technology-consulting.png

Back to blog