The React Team has issued an urgent security advisory for a critical vulnerability affecting React Server Components that could allow attackers to execute arbitrary code on servers without authentication. The vulnerability, tracked as CVE-2025-55182 and rated with a maximum CVSS score of 10.0, poses a severe threat to applications using the affected packages.

Article illustration 1

On November 29th, security researcher Lachlan Davidson discovered the vulnerability through Meta's Bug Bounty program, revealing a flaw in how React decodes payloads sent to React Server Function endpoints. "This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0," the React Team stated in their official announcement. "The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack."

Understanding the Threat

React Server Functions enable client-side applications to call functions running on a server. This architecture allows for more dynamic and responsive user experiences by offloading certain processing to the server. However, the vulnerability creates a dangerous pathway for attackers.

"React Server Functions allow a client to call a function on a server," the advisory explains. "React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client."

The critical flaw lies in the deserialization process. "An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server," the React Team warned. This means that even applications without explicit Server Function endpoints might be vulnerable if they support React Server Components.

Affected Packages and Frameworks

The vulnerability impacts three core React packages:
- react-server-dom-webpack (versions 19.0, 19.1.0, 19.1.1, 19.2.0)
- react-server-dom-parcel (versions 19.0, 19.1.0, 19.1.1, 19.2.0)
- react-server-dom-turbopack (versions 19.0, 19.1.0, 19.1.1, 19.2.0)

Several popular frameworks and bundlers that depend on or include these vulnerable packages are also affected:
- Next.js
- React Router
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- rwsdk

The React Team emphasized that "if your app's React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability."

Immediate Action Required

The React Team has already released patched versions addressing the vulnerability:
- react-server-dom-webpack: 19.0.1, 19.1.2, 19.2.1
- react-server-dom-parcel: 19.0.1, 19.1.2, 19.2.1
- react-server-dom-turbopack: 19.0.1, 19.1.2, 19.2.1

"We recommend upgrading immediately," the advisory stressed. "A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately."

The team has been working with affected hosting providers and open source projects to validate the fix and implement mitigations. "We will update this post with upgrade instructions on how to upgrade as they become available," they added.

The Discovery Timeline

The vulnerability follows a standard responsible disclosure timeline:
- November 29, 2025: Lachlan Davidson reported the vulnerability via Meta Bug Bounty
- November 30, 2025: Meta security researchers confirmed and began working with the React team
- December 1, 2025: A fix was created and validation began with affected parties
- December 3, 2025: The fix was published to npm and publicly disclosed as CVE-2025-55182

"Thank you to Lachlan Davidson for discovering, reporting, and working to help fix this vulnerability," the React Team acknowledged.

Broader Implications for the React Ecosystem

This critical vulnerability highlights the security challenges inherent in increasingly complex web architectures. As React Server Components continue to gain adoption, security researchers and developers must remain vigilant about potential attack vectors in client-server communication patterns.

The severity of this flaw—allowing unauthenticated remote code execution—underscores the importance of prompt patch management in the development lifecycle. For organizations using affected frameworks, this vulnerability represents not just a technical risk but also a potential compliance and reputational issue if exploited.

As the React ecosystem continues to evolve, security considerations must remain at the forefront of architectural decisions. The rapid response from the React Team demonstrates the importance of coordinated vulnerability disclosure and patch processes in maintaining trust in widely adopted open source technologies.