Critical Security Vulnerability in React Server Components
8 days ago
- #Vulnerability
- #React
- #Security
- Critical security vulnerability (CVE-2025-55182) found in React Server Components, allowing unauthenticated remote code execution.
- Affected versions: React 19.0, 19.1.0, 19.1.1, and 19.2.0.
- Fixed versions available: 19.0.1, 19.1.2, and 19.2.1.
- Apps not using React Server Components or server-side React are not affected.
- Affected frameworks and bundlers include Next.js, React Router, Waku, and others.
- Hosting providers have temporary mitigations, but immediate updates are recommended.
- Detailed update instructions provided for Next.js, React Router, Expo, Redwood SDK, Waku, and other affected tools.
- Vulnerability involves malicious HTTP requests to Server Function endpoints leading to remote code execution.
- Timeline: Reported on November 29th, confirmed on November 30th, fix published on December 3rd.
- Attribution to Lachlan Davidson for discovering and reporting the vulnerability.