RCE Vulnerability in React and Next.js
8 days ago
- #Next.js
- #React
- #Security
- Vulnerability affects React packages (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0) and frameworks like Next.js 15.x/16.x (App Router).
- Tracked as CVE-2025-55182.
- Fixed versions: React 19.0.1, 19.1.2, 19.2.1; Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7.
- Also impacts experimental canary releases (14.3.0-canary.77+). Users should downgrade to 14.x stable or 14.3.0-canary.76.
- Affected React packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
- Urgent upgrade recommended for stable Next.js 15.x/16.x users.