Clusterify.AI
© 2025 All Rights Reserved, Clusterify Solutions FZCO
Security Vulnerability in React Server Components – UPDATE NOW
The Grand Challenges of Engineering an AI Math Tutor
What Protocol to Use?
AI-Driven Sales: The New Playbook to Maximize Ecommerce ROI
Secure MCP Server with Python and NextJS
Guide to Securing MCP AI Servers 2of2
There is an unauthenticated remote code execution vulnerability in React Server Components.
We recommend upgrading immediately.
On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
We will update this post with upgrade instructions on how to upgrade as they become available.
We have worked with a number of hosting providers to apply temporary mitigations.
You should not depend on these to secure your app, and still update immediately.
React Server Functions allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client.
An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.
All users should upgrade to the latest patched version in their release line:
If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
See the Next.js changelog for more info.
If you are using React Router’s unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:
To learn more about mitigating, read the article on expo.dev/changelog.
Ensure you are on rwsdk>=1.0.0-alpha.0
For the latest beta version:
Upgrade to the latest react-server-dom-webpack:
npm install react@latest react-dom@latest react-server-dom-webpack@latest
See Redwood docs for more migration instructions.
Upgrade to the latest react-server-dom-webpack:
npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest
See Waku announcement for more migration instructions.
Upgrade to the latest RSC plugin:
npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
react-server-dom-parcel
Update to the latest version:
npm install react@latest react-dom@latest react-server-dom-parcel@latest
react-server-dom-turbopack
Update to the latest version:
npm install react@latest react-dom@latest react-server-dom-turbopack@latest
react-server-dom-webpack
Update to the latest version:
npm install react@latest react-dom@latest react-server-dom-webpack@latest
Thank you to Lachlan Davidson for discovering, reporting, and working to help fix this vulnerability.