Back to Blog
Security

React Server Components CVE 2025 55182 What You Need to Know

December 6, 2025
6 min read
By CateNET Solutions
securityreactcvevulnerabilityweb development
Share:
React Server Components CVE 2025 55182 What You Need to Know

On December 3rd, 2025, the React team disclosed CVE 2025 55182, a critical security vulnerability in React Server Components that allows unauthenticated remote code execution. This matters because any application using React Server Components could allow attackers to execute code on your server without authentication. The vulnerability affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, but only if your application uses React Server Components or React Server Functions. If you are running a standard client side React application without server components, you are not affected.

What Happened

The vulnerability exists in how React decodes payloads sent to React Server Function endpoints. When a client calls a server function, React translates the HTTP request into a function call on the server. An attacker could craft a malicious HTTP request that, when processed by React's deserialization process, executes arbitrary code on your server.

The React team worked with security researcher Lachlan Davidson, who reported the issue through Meta's bug bounty program on November 29th. A fix was developed and released on December 3rd in versions 19.0.1, 19.1.2, and 19.2.1. The vulnerability received a CVSS score of 10.0, the highest severity rating, indicating critical risk.

Why It Matters

This vulnerability matters because it allows complete server compromise without authentication. An attacker does not need to log in or have any existing access to your system. They simply need to send a crafted request to any React Server Function endpoint. Once exploited, attackers can read sensitive data, modify your application, or use your server as part of a larger attack.

For businesses, this means potential data breaches, service disruption, and compliance violations. For development teams, it highlights the importance of dependency management and staying current with security patches. The React ecosystem's rapid adoption of Server Components means many teams may be vulnerable without realizing it.

Who Is Affected

The vulnerability affects applications using React Server Components or React Server Functions in specific versions. You are vulnerable if you meet all of these conditions:

  • You are using React version 19.0, 19.1.0, 19.1.1, or 19.2.0
  • Your application implements React Server Components
  • Your application uses React Server Functions
  • You are using a framework or bundler that supports React Server Components, such as Next.js, React Router with RSC APIs, Waku, or Vite with the RSC plugin

You are not affected if:

  • You use React 18 or earlier versions
  • Your application is a standard client side React application without server components
  • You do not use any React Server Function endpoints
  • Your framework or bundler does not support React Server Components

None of our client projects at CateNET Solutions were affected because we do not use React Server Components in production applications.

How To Fix It

If you are using an affected version, upgrade immediately to a patched release. The fixed versions are 19.0.1, 19.1.2, and 19.2.1. Choose the version that matches your current release line.

For Next.js users, upgrade to the latest patched version in your release line. Next.js 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7 all include the fix. If you are on a Next.js 14 canary release, downgrade to the latest stable 14.x version.

For React Router users with RSC APIs, update React, React DOM, and any react server dom packages to the latest versions. The same applies to Waku, Redwood SDK, and other frameworks using React Server Components.

After upgrading, validate your builds and test your application to ensure everything functions correctly. Review the React team's official announcement for framework specific upgrade instructions.

How We Handle This At CateNET

At CateNET Solutions, we maintain strict security practices for all client projects. We audit dependencies regularly to identify vulnerabilities before they become problems. We do not use React Server Components in production applications, choosing instead to build reliable client side applications with proven architectures.

Our systems and client projects remain unaffected by CVE 2025 55182. When security issues arise, we patch immediately and communicate transparently with clients about any necessary updates. We follow secure software engineering principles, including regular dependency updates, security scanning, and code review processes.

None of our client projects were affected by this vulnerability.

Final Thoughts

Security vulnerabilities are part of modern software development, but proactive practices keep systems safe. Regular dependency audits, staying current with patches, and choosing stable architectures reduce risk significantly. The React team responded quickly to this issue, and the fix is available immediately for affected applications.

If you want secure and reliably maintained systems, CateNET Solutions can help. Our team in Studio City builds modern, stable and protected applications for growing businesses. We handle security updates, dependency management, and infrastructure maintenance so you can focus on your business.

Share this article