Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerability in React Server Components and Next.js

4 December 2025

Security researchers have identified a critical vulnerability in React Server Components (RSC) and Next.js framework. Users and administrators of affected product versions are advised to update to the latest version immediately.

Background

Security researchers have identified a critical vulnerability (CVE-2025-55182) in React Server Components (RSC) and Next.js framework. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10.0.

Impact

Successful exploitation of the vulnerability could allow an unauthenticated attacker to perform remote code execution through crafted HTTP requests.

Affected Products

The vulnerability impacts versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages

  • react-server-dom-webpack

  • react-server-dom-parcel

  • react-server-dom-turbopack

The vulnerability also affects Next.js versions 

  • 15.x

  • 16.x

  • 14.3.0-canary.77 and later canary releases

Mitigation

Users and administrators of affected product versions are advised to update to the latest version immediately. If on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

https://www.darkreading.com/vulnerabilities-threats/critical-react-flaw-triggers-immediate-action

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

Back to top