software

⚠️ Critical RCE Vulnerability in React Server Components (CVSS 10.0)

Published: (December 12, 2025 at 04:51 AM EST)
2 min read
Source: Dev.to

Source: Dev.to

Cover image for ⚠️ Critical RCE Vulnerability in React Server Components (CVSS 10.0)

🚨 Why this vulnerability matters

React Server Components introduce a hybrid rendering model where the server returns component trees to the client. The disclosed vulnerability allows malicious actors to abuse this protocol and inject payloads that get executed server‑side, leading to:

  • Full server compromise
  • Access to environment variables
  • Supply‑chain risk via poisoned responses
  • Lateral movement inside the infrastructure

This is one of the most severe RSC‑related issues ever published.

⚠️ Affected technologies

React Server Components packages

StatusVersions
Vulnerable19.0, 19.1.0, 19.1.1, 19.2.0
Patched19.0.1, 19.1.2, 19.2.1+

Next.js with App Router

Next.js uses RSC under the hood, making it affected by default when using the /app directory.

Vulnerable versions

Next.js version
15.x
16.x (various releases)

Patched versions

Secure version
15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7

🔧 Required actions (immediate)

Upgrade React RSC packages to one of the secure versions:

  • 19.0.1, 19.1.2, 19.2.1, or later.

Upgrade Next.js to a patched version listed above.

After updating dependencies:

  1. Rebuild and redeploy all affected applications.
  2. Rotate secrets/credentials if your service was deployed with vulnerable versions.
  3. (Recommended) Review logs for suspicious RSC request patterns.

🔍 How to check if your project is affected

For React projects

npm ls react-server react-server-dom-webpack

Or inspect package.json / pnpm-lock.yaml for the vulnerable versions listed above.

For Next.js projects

npx next info

Check whether:

  • You’re using the App Router (/app directory)
  • Your Next.js version falls within the vulnerable range

📌 Applicability

This advisory applies to:

  • Projects built on React that use RSC
  • Projects built on Next.js App Router
  • Any backend that processes RSC protocol traffic

It does not impact traditional React applications that do not use RSC.

🔥 Final notes

This vulnerability is a rare case where React’s server‑side infrastructure becomes an attack vector with zero‑authentication, remote exploitability, and full server compromise potential.

If your team maintains applications using RSC or Next.js App Router, treat these updates as urgent.

Stay safe and patch early.

React Team — “Critical Security Vulnerability in React Server Components (CVE‑2025‑55182)”

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Back to Blog

Related posts

Read more »