CVE-2025-55182
React Server Components are Vulnerable to RCE
Description
### Impact There is an unauthenticated remote code execution vulnerability in React Server Components. We recommend upgrading immediately. The vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of: * [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) * [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) * [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) ### Patches A fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately. If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability. ### References See the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.
How to fix CVE-2025-55182
To remediate CVE-2025-55182, upgrade the affected package to a fixed version below.
- —upgrade to 19.0.1 or later
- —upgrade to 19.0.1 or later
- —upgrade to 19.0.1 or later
Is CVE-2025-55182 being exploited?
Yes — CVE-2025-55182 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.