React Remote Code Execution Vulnerability

Release Date: 4 Dec 2025

RISK: Medium Risk

TYPE: Servers - Other Servers

A vulnerability has been identified in React. A remote attacker could exploit this vulnerability to trigger remote code execution on the targeted system.

 

Note:

The vulnerability (CVE-2025-55182) has been identified in the React Server Components (RSC) protocol, it allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

---

Impact

• Remote Code Execution

---

System / Technologies affected

For affected versions of React:

• The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack
• Affected frameworks and bundlers: Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

For detail, please refer to the links below:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

---

Vulnerability Identifier

• CVE-2025-55182

---

Source

• React

---

Related Link

• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html