**About this file**

This Markdown is an auto-generated, plain-text snapshot of one page on mertosolutions.com.
Use it to paste context into an AI assistant. Visual layout, images, and interactive elements exist only on the live site - see **Canonical** below.
**Page:** Important Security Update for Next.js 15, 16 & react SSR | Merto Software Solutions

**Description:** A critical CVSS 10.0 security vulnerability (CVE-2025-55182) has been discovered in React Server Components, affecting React, Next.js and several related frameworks. This blog explains what happened, who is affected, and how development teams should respond immediately.

**Canonical:** https://mertosolutions.com/blog/critical-react-server-components-vulnerability-cve-2025-55182

---

1. Home
2. /
3. Blog
4. /
5. Critical Security Vulnerability in React Server Components

Published 04/12/2025 AuthorMerto Team

# Critical Security Vulnerability in React Server Components

# Critical Security Vulnerability in React Server Components (CVE-2025-55182)

**Published:** 03 December 2025 **Updated:** 03 December 2025 **Reported by:** Lachlan Davidson **Severity:** CVSS 10.0 (Critical)

A critical security vulnerability has been disclosed in **React Server Components**, affecting a wide range of applications built with **React** and **Next.js**. This issue allows the possibility of **unauthenticated remote code execution**, making it one of the most severe vulnerabilities ever published within the React ecosystem.

This blog provides a clear overview of what happened, who is affected, and the actions development teams should take immediately.

## What happened

On 29 November 2025, security researcher **Lachlan Davidson** reported a flaw in how React deserialises payloads handled by **React Server Function endpoints**. This flaw allows an attacker to craft a malicious HTTP request that, when processed by a vulnerable server, can lead to remote code execution.

The vulnerability affects applications even if they do not explicitly use React Server Functions. If an application supports **React Server Components (RSC)** it may still be vulnerable.

On **03 December 2025**, the issue was publicly disclosed as **CVE-2025-55182** after fixes were released across the ecosystem.

## Affected React versions

The vulnerability is present in the following versions of the React Server Components packages:

- 19.0
- 19.1.0
- 19.1.1
- 19.2.0

These packages include:

- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack

### Patched Versions

A fix has been shipped in:

- 19.0.1
- 19.1.2
- 19.2.1

Developers should upgrade immediately to one of the patched versions.

## Impact on Next.js users

Next.js is one of the largest adopters of React Server Components. As a result, most modern Next.js applications fall within the affected category.

The React Team and Vercel have released patches for all supported release lines.

### Required Next.js upgrades

- npm install next@15.0.5
- npm install next@15.1.9
- npm install next@15.2.6
- npm install next@15.3.6
- npm install next@15.4.8
- npm install next@15.5.7
- npm install next@16.0.7

If you are running Next.js 14.3.0-canary.77 or later canary versions, downgrade to the latest stable 14.x release.

## Other frameworks and bundlers affected

Several tools that support React Server Components may also be affected. These include:

- React Router (unstable RSC APIs)
- Waku
- Redwood SDK
- Parcel RSC (@parcel/rsc)
- Vite RSC plugin (@vitejs/plugin-rsc)
- Turbopack RSC packages

Each project has posted its own upgrade instructions, but the general rule is to update React, React DOM, and the relevant RSC package to the latest available version.

## Who is not affected

You are not affected if:

- Your React application does not use a server.
- Your application does not use any framework or bundler that supports React Server Components.
- You run only client side React without RSC features.

Classic client only React apps do not need to take action.

## Timeline of the disclosure

- 29 November: Vulnerability reported via Meta Bug Bounty
- 30 November: Meta security researchers confirmed the issue
- 01 December: Fix prepared and shared with hosting providers and framework maintainers
- 03 December: Fix released publicly and CVE-2025-55182 published

## Hosting provider mitigations

While some hosting providers were able to apply temporary mitigations, the React Team stresses that these should not be relied upon. Developers must apply the official updates to remove the vulnerability completely.

## What you should do now

If you maintain any React or Next.js application, you should:

1. Check whether your versions of React or Next.js fall within the affected range.
2. Upgrade immediately to the patched versions.
3. Review logs for any unusual activity during the vulnerable window.
4. Rebuild and redeploy your application after upgrading.

If you use a third party agency or development team, confirm with them that your application has been reviewed and patched.

## Official References

CVE record: [https://www.cve.org/CVERecord?id=CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182)

Next.js advisory: [https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp)

React Team announcement: [https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components)

## Final thoughts

Security vulnerabilities of this severity are rare, especially with a CVSS score of 10.0. The transparency and coordinated response from the React ecosystem have helped ensure that fixes were ready as soon as the issue became public.

If you are unsure whether your systems are affected or would like support reviewing your setup, feel free to reach out for guidance. [https://mertosolutions.com/contact-us](https://mertosolutions.com/contact-us)

Previous

<- Nvidia's Earnings - AI Bubble or Justified Growth?
Next
Amazon Vendor vs Seller Central Integration Guide ->

Back to blog

## Recent posts

- AI for Amazon Sellers | Give Your AI Live Data Access 28 May 2026
- inFAMOUS PS5 Revival - Sony Bringing Back Classic IPs 17 May 2026
- Intel Stock Hits Record High - What Investors Should Know 24 Apr 2026
- Apple iOS 26.4: 8 New Emoji & 12 iPhone Changes Explained 25 Mar 2026
- Merto Solutions Expands API Integration & Consulting 2026 2 Mar 2026

## Topics

- Amazon automation
- Business Growth & Automation
- Custom Software Solutions
- Security & Data Protection
- Tech & Innovation
- Tech News & Industry Updates
- Web Design & Development