Alerts

Critical Vulnerability in React Server Components and Next.js

4 December 2025

Security researchers have identified a critical vulnerability in React Server Components (RSC) and Next.js framework. Users and administrators of affected product versions are advised to update to the latest version immediately.

Background

Security researchers have identified a critical vulnerability (CVE-2025-55182) in React Server Components (RSC) and Next.js framework. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10.0.

Impact

Successful exploitation of the vulnerability could allow an unauthenticated attacker to perform remote code execution through crafted HTTP requests.

Affected Products

The vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages

react-server-dom-webpack

react-server-dom-parcel

react-server-dom-turbopack

The vulnerability also affects Next.js versions

15.x

16.x

14.3.0-canary.77 and later canary releases

Mitigation

Users and administrators of affected product versions are advised to update to the latest version immediately. If on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

https://www.darkreading.com/vulnerabilities-threats/critical-react-flaw-triggers-immediate-action

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Critical Vulnerability in React Server Components and Next.js

Reach us