4:45pm, 4 December 2025
TLP Rating:
Remote code execution vulnerability affecting React Server Components
CVE-2025-55182 is a pre-authentication remote code execution vulnerability affecting React Server Components. The NCSC is aware of a public proof of concept (POC) and reports of active exploitation for this vulnerability.
A malicious HTTP request to any Server Function endpoint that, when deserialized by React, could achieve remote code execution on the server.
Note: Even if your app does not implement any React Server Function endpoints it may still be vulnerable if it supports React Server Components.
What's happening
Systems affected
The vulnerability impacts versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of the following npm packages:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
What to look for
How to tell if you're at risk
If you are running React Server versions within the version range listed above.
How to tell if you're affected
All noted versions of React Server are affected, along with any React apps that support React Server Components.
What to do
Mitigation
To mitigate the vulnerability, React Server components need to be upgraded to:
React:
- 19.0.1
- 19.1.2
- 19.2.1
Next.js:
- 15.0.5
- 15.1.9
- 15.2.6
- 15.3.6
- 15.4.8
- 15.5.7
- 16.0.7
More information
Read more about this alert on the vendor website:
Critical Security Vulnerability in React Server Components External Link
If you require more information or further support, submit a report on our website:
If you need assistance using the tool, call us on 0800 114 115. Calling us is free within New Zealand. We’re open 7am to 7pm, Monday to Friday, and we’re closed on public holidays.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.