Security advisory
Summary of CVE-2025-55182 (React Server Components RCE)
Critical-severity RCE impacting React 19 Server Components and downstream frameworks including Next.js. Patched versions and mitigation steps.
Summary
A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478). Under certain conditions, specially crafted requests could lead to unintended remote code execution. We deployed mitigations on Vercel WAF at no cost, and strongly recommend upgrading to patched versions regardless of hosting provider.
Impact
Applications using affected versions of React Server Components may process untrusted input in a way that allows an attacker to perform remote code execution. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
- react-server-dom-parcel
- react-server-dom-webpack
- react-server-dom-turbopack
These packages are included in frameworks and bundlers such as Next.js (versions ≥14.3.0-canary.77, ≥15, ≥16) and other RSC-embedding frameworks.
Resolution
We created mitigations and deployed them across our platform to protect customers. All users should upgrade to patched versions as soon as possible. If you are on a Next.js canary build (14.3.0-canary.77+), downgrade to the latest stable 14.x or upgrade to patched releases.
Recommended action
- Upgrade React and Next.js to patched versions listed below.
- Redeploy your application after dependency updates.
- Monitor for unusual RSC-related requests during rollout.
Fixed in
React
- 19.0.1
- 19.1.2
- 19.2.1
Next.js
- 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 15.6.0-canary.58
- 16.0.7
Frameworks and bundlers embedding the affected RSC packages should install the latest versions provided by their maintainers.
References
Credit
Thanks to Lachlan Davidson for identifying and responsibly reporting the vulnerability, and the Meta Security and React team for their partnership.