Meta has discovered a critical vulnerability in React Server Components. The vulnerability has been given a maximum score of 10.0 and allows for unauthenticated remote code execution. The company is asking users to immediately update to the patched versions.

This concerns CVE-2025-55182, a security vulnerability that allows attackers to execute arbitrary code on vulnerable servers. A malicious party can use a prepared HTTP request to a React Server endpoint to cause code to run on that server. Meta does not want to reveal many details about the exact nature of the vulnerability, but the impact is potentially enormous.

It is difficult to say exactly how serious the vulnerability is. Many companies use React Server Components (RSC) or a framework that contains them. Server-side packages may contain the vulnerability, or a server that can process RSC payloads may be running. Anyone running Next.js, for example, should update as soon as possible.

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of React Server Components. Not only applications with React Server Function endpoints are vulnerable. Apps that support React Server Components but do not have explicit endpoints are also at risk. The patches are included in versions 19.0.1, 19.1.2, and 19.2.1.

The vulnerability affects three React packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. But the impact goes further. Popular frameworks and bundlers that rely on these packages are also vulnerable. These include Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

For Next.js, versions 15.0 through 16.0 are affected. Users of Next.js 14.3.0-canary.77 or later canary releases should downgrade to the latest stable 14.x release. Next.js 13.x and 14.x stable versions are not vulnerable, nor are Pages Router applications.

Lachlan Davidson reported the vulnerability on November 29 through the Meta Bug Bounty program. Meta security researchers confirmed the issue a day later and immediately began working with the React team on a solution. A fix was available on December 1, after which Meta collaborated with hosting providers and open source projects to roll out the patch.

On December 3, Meta published the fix to npm and made the vulnerability public. Security researchers point out that the speed of the response was crucial, given that React is used by 82 percent of JavaScript developers, according to the State of JavaScript 2024 survey.

Some hosting providers have applied temporary mitigations. However, Meta emphasizes that organizations should not rely on these and should still update. The severity of the vulnerability—a score of 10.0 means maximum risk—requires immediate action.