NewsSecurity Vulnerabilities

Critical remote code execution Vulnerabilities in React and Next.js (CVE-2025-55182)

CVE number – CVE-2025-55182

A new security update from React resolves a critical vulnerability found in React Server Components. The issue also impacts JavaScript applications and frameworks that rely on this feature.

CVE-2025-55182 is an unauthenticated remote code execution (RCE) vulnerability with a CVSSv3 score of 10.0.

A remote, unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialised by React, could allow the attacker to execute arbitrary code on the server. 

Note: CVE-2025-66478 has been issued by Vercel (developers of Next.js). CVE-2025-66478 is a duplicate of CVE-2025-55182.

React Server Components enable web clients to invoke functions on the React server by converting HTTP requests into function calls and sending the resulting data back to the client.

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

Further information

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://www.cve.org/CVERecord?id=CVE-2025-55182

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.