惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Martin Fowler
Martin Fowler
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
博客园 - 聂微东
IT之家
IT之家
GbyAI
GbyAI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Y
Y Combinator Blog
博客园 - 【当耐特】
The Cloudflare Blog
宝玉的分享
宝玉的分享
罗磊的独立博客
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
Visual Studio Blog
小众软件
小众软件
博客园_首页
Last Week in AI
Last Week in AI
J
Java Code Geeks
V
V2EX
雷峰网
雷峰网
Apple Machine Learning Research
Apple Machine Learning Research
阮一峰的网络日志
阮一峰的网络日志
腾讯CDC
博客园 - 司徒正美
Engineering at Meta
Engineering at Meta
The GitHub Blog
The GitHub Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
DataBreaches.Net
博客园 - 三生石上(FineUI控件)
MyScale Blog
MyScale Blog
云风的 BLOG
云风的 BLOG
The Register - Security
The Register - Security
M
MIT News - Artificial intelligence
Microsoft Azure Blog
Microsoft Azure Blog
T
The Blog of Author Tim Ferriss
N
Netflix TechBlog - Medium
F
Full Disclosure
B
Blog
H
Help Net Security
C
Check Point Blog
WordPress大学
WordPress大学
人人都是产品经理
人人都是产品经理
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Jina AI
Jina AI
酷 壳 – CoolShell
酷 壳 – CoolShell
Blog — PlanetScale
Blog — PlanetScale
L
LangChain Blog
P
Proofpoint News Feed
D
Docker
Microsoft Security Blog
Microsoft Security Blog

React Blog

The React Foundation: A New Home for React Hosted by the Linux Foundation – React Denial of Service and Source Code Exposure in React Server Components – React React Conf 2025 Recap – React Introducing the React Foundation – React React Compiler v1.0 – React React 19.2 – React React Labs: View Transitions, Activity, and more – React Sunsetting Create React App – React React v19 – React React Compiler Beta Release – React React Conf 2024 Recap – React React 19 Upgrade Guide – React React Labs: What We've Been Working On – February 2024 – React React Canaries: Enabling Incremental Feature Rollout Outside Meta – React React Labs: What We've Been Working On – March 2023 – React Introducing react.dev – React React Labs: What We've Been Working On – June 2022 – React React v18.0 – React How to Upgrade to React 18 – React React Conf 2021 Recap – React The Plan for React 18 – React Introducing Zero-Bundle-Size React Server Components – React
Critical Security Vulnerability in React Server Components – React
The React Te · 2025-12-03 · via React Blog

December 3, 2025 by The React Team


There is an unauthenticated remote code execution vulnerability in React Server Components.

We recommend upgrading immediately.


On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

Immediate Action Required

A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

Affected frameworks and bundlers

Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

See the update instructions below for how to upgrade to these patches.

Hosting Provider Mitigations

We have worked with a number of hosting providers to apply temporary mitigations.

You should not depend on these to secure your app, and still update immediately.

Vulnerability overview

React Server Functions allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client.

An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.

Update Instructions

Note

Next.js

All users should upgrade to the latest patched version in their release line:

npm install next@14.2.35 // for 13.3.x, 13.4.x, 13.5.x, 14.x

npm install next@15.0.8 // for 15.0.x

npm install next@15.1.12 // for 15.1.x

npm install next@15.2.9 // for 15.2.x

npm install next@15.3.9 // for 15.3.x

npm install next@15.4.11 // for 15.4.x

npm install next@15.5.10 // for 15.5.x

npm install next@16.0.11 // for 16.0.x

npm install next@16.1.5 // for 16.1.x

npm install next@15.6.0-canary.60 // for 15.x canary releases

npm install next@16.1.0-canary.19 // for 16.x canary releases

15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.10, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5

If you are on version 13.3 or later version of Next.js 13 (13.3.x, 13.4.x, or 13.5.x) please upgrade to version 14.2.35.

If you are on next@14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:

See the Next.js blog for the latest update instructions and the previous changelog for more info.

React Router

If you are using React Router’s unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:

npm install react@latest

npm install react-dom@latest

npm install react-server-dom-parcel@latest

npm install react-server-dom-webpack@latest

npm install @vitejs/plugin-rsc@latest

Expo

To learn more about mitigating, read the article on expo.dev/changelog.

Redwood SDK

Ensure you are on rwsdk>=1.0.0-alpha.0

For the latest beta version:

Upgrade to the latest react-server-dom-webpack:

npm install react@latest react-dom@latest react-server-dom-webpack@latest

See Redwood docs for more migration instructions.

Waku

Upgrade to the latest react-server-dom-webpack:

npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest

See Waku announcement for more migration instructions.

@vitejs/plugin-rsc

Upgrade to the latest RSC plugin:

npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest

react-server-dom-parcel

Update to the latest version:

npm install react@latest react-dom@latest react-server-dom-parcel@latest

react-server-dom-turbopack

Update to the latest version:

npm install react@latest react-dom@latest react-server-dom-turbopack@latest

react-server-dom-webpack

Update to the latest version:

npm install react@latest react-dom@latest react-server-dom-webpack@latest

React Native

For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.

If you are using React Native in a monorepo, you should update only the impacted packages if they are installed:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

This is required to mitigate the security advisory, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native.

See this issue for more information.

Timeline

  • November 29th: Lachlan Davidson reported the security vulnerability via Meta Bug Bounty.
  • November 30th: Meta security researchers confirmed and began working with the React team on a fix.
  • December 1st: A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
  • December 3rd: The fix was published to npm and the publicly disclosed as CVE-2025-55182.

Attribution

Thank you to Lachlan Davidson for discovering, reporting, and working to help fix this vulnerability.