12/3/2025 • 5 min read
Critical React Security Vulnerability: Upgrade Now (CVE-2025-55182)
Last updated: December 3, 2025
If you're using React Server Components, you need to upgrade immediately. A critical remote code execution vulnerability (CVSS 10.0) was discovered that allows unauthenticated attackers to execute arbitrary code on your server.
This isn't theoretical. Sites are getting hacked. Upgrade now.
IMMEDIATE ACTION REQUIRED: This vulnerability affects React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Upgrade to patched versions 19.0.1, 19.1.2, or 19.2.1 immediately.
If you're using Next.js, upgrade to the latest patched version in your release line.
What Is This Vulnerability?
CVE-2025-55182 is a critical security flaw in React Server Components that allows unauthenticated remote code execution. An attacker can craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, executes arbitrary code on your server.
The vulnerability was discovered by Lachlan Davidson on November 29th and publicly disclosed as CVE-2025-55182 on December 3rd, 2025.
Who's Affected?
This vulnerability affects applications using:
- React Server Components in versions 19.0, 19.1.0, 19.1.1, and 19.2.0
- Next.js (all versions supporting React Server Components)
- React Router (if using unstable RSC APIs)
- Waku, Expo, Redwood SDK, and other frameworks using React Server Components
- Any bundler or plugin that uses
react-server-dom-webpack,react-server-dom-parcel, orreact-server-dom-turbopack
Even if you don't implement React Server Function endpoints, you may still be vulnerable if your app supports React Server Components.
If your app's React code doesn't use a server, or if you're not using a framework/bundler that supports React Server Components, you're not affected by this vulnerability.
Upgrade Instructions
For AI Coding Agents
For everyone using AI coding agents, use this prompt:
Upgrade to a patched version of Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7) and react-server-dom (19.0.1, 19.1.2, and 19.2.1)
Copy this prompt, paste it into your AI coding agent, and it will handle the upgrade for you.
This applies rergardless of whether you're using a vibe coding platform like Bolt, Replit, Emergent, Lovable, or others. It's the same if you're using ChatGPT, Claude, GitHub Copilot, or any other AI coding assistant.
Next.js
Upgrade to the latest patched version in your release line:
# For Next.js 15.0.x
npm install next@15.0.5
# For Next.js 15.1.x
npm install next@15.1.9
# For Next.js 15.2.x
npm install next@15.2.6
# For Next.js 15.3.x
npm install next@15.3.6
# For Next.js 15.4.x
npm install next@15.4.8
# For Next.js 15.5.x
npm install next@15.5.7
# For Next.js 16.0.x
npm install next@16.0.7
If you're on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
npm install next@14
React and React Server Components
Upgrade React and the affected React Server Components packages:
# Upgrade React to latest patched version
npm install react@latest react-dom@latest
# Upgrade React Server Components packages
npm install react-server-dom-webpack@latest
# OR
npm install react-server-dom-parcel@latest
# OR
npm install react-server-dom-turbopack@latest
Patched versions:
react-server-dom-webpack: 19.0.1, 19.1.2, or 19.2.1react-server-dom-parcel: 19.0.1, 19.1.2, or 19.2.1react-server-dom-turbopack: 19.0.1, 19.1.2, or 19.2.1
React Router
If you're using React Router's unstable RSC APIs, upgrade:
npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest
Other Frameworks
Waku:
npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest
Redwood SDK:
npm install rwsdk@latest
npm install react@latest react-dom@latest react-server-dom-webpack@latest
Expo:
See the Expo changelog for mitigation instructions.
@vitejs/plugin-rsc:
npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
After Upgrading
-
Redeploy immediately — Don't wait. Once you've upgraded, deploy to production as soon as possible.
-
Verify the upgrade — Check your
package.jsonandpackage-lock.jsonto ensure the patched versions are installed:
npm list react react-dom react-server-dom-webpack
-
Run security scans — Use Rafter or similar tools to verify your application is secure and check for other vulnerabilities.
-
Monitor your logs — Watch for any suspicious activity that might indicate exploitation attempts.
Why This Matters
This vulnerability is particularly dangerous because:
- No authentication required — Attackers don't need to be logged in
- Remote code execution — Successful exploitation gives attackers full control of your server
- Easy to exploit — The attack vector is straightforward for knowledgeable attackers
- Wide impact — Affects many popular frameworks and applications
The React team worked quickly with hosting providers to implement temporary mitigations, but you should not depend on these. Upgrade your dependencies immediately.
Timeline
- November 29th: Lachlan Davidson reported the vulnerability via Meta Bug Bounty
- November 30th: Meta security researchers confirmed and began working on a fix
- December 1st: Fix created and validated with hosting providers
- December 3rd: Fix published to npm and publicly disclosed as CVE-2025-55182
Additional Resources
The Bottom Line
This is a critical vulnerability that requires immediate action. Don't wait. Don't assume your hosting provider's mitigations are enough. Upgrade your React Server Components dependencies and redeploy immediately.
If you're vibe coding and shipping fast, you have two options:
Option 1: Use your AI coding agent — Copy this prompt:
Upgrade to a patched version of Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7) and react-server-dom (19.0.1, 19.1.2, and 19.2.1)
Option 2: Run these commands directly:
# Quick upgrade for most Next.js apps
npm install next@latest react@latest react-dom@latest
# Redeploy immediately
git commit -am "Security: Upgrade React and Next.js to patch CVE-2025-55182"
git push
Security vulnerabilities don't wait for convenient timing. Upgrade now.
Need Help Securing Your App?
Vulnerabilities like this are why automated security scanning is essential. Rafter helps you catch security issues before they become emergencies.
- Run a Free Security Scan
- Learn About Automated Security Scanning
- Read Our Security Best Practices Guide
Thank you to Lachlan Davidson for discovering and reporting this vulnerability, and to the React team for their rapid response and fix.