Critical Security Alert: React Server Components Vulnerability
What's at Risk?
Let me be direct: an unauthenticated attacker can execute arbitrary code on your server. No authentication required. No special permissions needed. Just a crafted HTTP request to any React Server Function endpoint.
Here's what makes this particularly dangerous:
- It's unauthenticated - Attackers don't need to log in or have any credentials
- It's remote - They can exploit it from anywhere on the internet
- It's in the framework layer - Your application code doesn't need to have bugs; the vulnerability is in React itself
- It affects more than you think - Even if you don't explicitly use Server Functions, you might still be vulnerable
Am I Affected?
You're vulnerable if you meet any of these conditions:
- You're using Next.js 13.3 or later with the App Router
- You're using React Router with unstable RSC APIs
- You're using Waku, Redwood, or Expo with Server Components
- You're using any of these packages in versions 19.0 through 19.2.0:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Important: Even if you haven't explicitly created any Server Actions or Server Functions, your app might still be vulnerable if it supports React Server Components at all. The vulnerability exists in how React decodes payloads, not in your application code.
You're not affected if:
- Your React app runs entirely on the client (no server rendering)
- You're using Next.js Pages Router without any Server Components
- You're using React Native without any of the server-dom packages
How the Vulnerability Works
React Server Components allow clients to call functions on the server. When you invoke a Server Action, React translates that into an HTTP request with a specially formatted payload. On the server, React deserializes this payload and executes the corresponding function.
The vulnerability lies in the deserialization process. An attacker can craft a malicious HTTP request that, when deserialized by React, executes arbitrary code on your server. Think of it like SQL injection, but for React's serialization format.
The React team has intentionally withheld full technical details of the exploit until most apps have been patched. This is standard practice for critical vulnerabilities - publishing exploit details too early gives attackers a blueprint before defenders can patch.
Update Instructions: Do This Now
The fix is available. You need to upgrade immediately. Don't wait for your next sprint or deployment cycle. This is a drop-everything-and-patch situation.
Next.js Users
Next.js users have the most straightforward path. The Vercel team worked closely with React to release patched versions across all supported release lines. Find your version and upgrade:
Special note for Next.js 13 users: If you're on any version of Next.js 13.3 or later (13.3.x, 13.4.x, 13.5.x), upgrade to next@14.2.35. Yes, this is a major version bump, but it's necessary for the security patch.If you're on a canary release like next@14.3.0-canary.77 or later, downgrade to the latest stable 14.x release:
React Router Users
If you're using React Router's unstable RSC APIs, update these packages:
Waku Users
Update to the latest versions:
Redwood SDK Users
Make sure you're on rwsdk@1.0.0-alpha.0 or later:
Expo Users
Expo has published specific mitigation instructions. Check their changelog for the latest guidance.
Direct React Package Users
If you're using React Server Components without a framework, update these packages directly:
React Native Users
Most React Native users aren't affected since React Native doesn't use the server-dom packages. However, if you're in a monorepo that includes web apps with Server Components, you need to update only the affected packages:
Do not update react and react-dom in your React Native project, as this will cause version mismatch errors. You only need to update the server-dom packages to mitigate the vulnerability.
Additional Vulnerabilities Discovered
During the investigation and patching process, the React team discovered two additional vulnerabilities that have also been patched in the same updates:
| CVE | Severity | Issue |
|---|---|---|
CVE-2025-55184 | High (7.5) | Denial of Service vulnerability |
CVE-2025-55183 | Medium (5.3) | Source code exposure vulnerability |
CVE-2025-67779 | Critical | Additional case of the original RCE vulnerability |
All of these vulnerabilities are patched in the same updates. You don't need to take any additional action beyond updating to the versions listed above.
What About Hosting Provider Mitigations?
Several hosting providers (including Vercel, Netlify, and others) worked with the React team to deploy temporary mitigations at the infrastructure level. This is great, and it shows the community coming together to protect users.
However, you should not rely on these mitigations as your primary defense. They're temporary measures, and they might not catch every exploit variant. Update your code. Deploy the patched versions. Don't assume your hosting provider has you covered.
Verification After Patching
After you've deployed the updates, verify your patch:
- Check your package.json - Make sure the updated versions are in your dependencies
- Check your lock file - Ensure
package-lock.jsonoryarn.lockreflects the new versions - Rebuild and redeploy - Don't just update locally; deploy to production
- Clear your build caches - Some CI/CD systems cache node_modules; make sure you're getting fresh installs
If you're using Next.js, you can check your version with:
Timeline: How This Unfolded
Security vulnerabilities are often kept under wraps until patches are available. Here's how the React team handled this one:
- November 29th - Lachlan Davidson discovered and reported the vulnerability through Meta's Bug Bounty program
- November 30th - Meta's security team confirmed the issue and began working with React team on a fix
- December 1st - Fix created and shared with hosting providers and major frameworks for validation
- December 3rd - Patches published to npm and public disclosure as CVE-2025-55182
This is a remarkably fast response time for a vulnerability of this severity. From discovery to public patch in just four days is impressive, and it shows how seriously the React team takes security.
What This Means for React Server Components
This vulnerability doesn't mean React Server Components are fundamentally flawed or that you should stop using them. Security vulnerabilities happen in all software, including mature, battle-tested frameworks.
What it does mean:
- Stay up to date - Don't let your React and framework versions fall too far behind
- Watch for security advisories - Subscribe to your framework's security announcements
- Have a rapid response plan - When critical patches drop, you need to be able to deploy quickly
- Layer your security - Use authentication, rate limiting, and other defenses even when your framework is secure
Questions You Might Have
"Can I just disable Server Components instead of upgrading?"
In theory, yes. In practice, if you're using a framework like Next.js with the App Router, Server Components are deeply integrated. Disabling them would require significant code changes. It's faster and safer to just update.
"How do I know if my app has been exploited?"
This is the scary part: exploitation might not leave obvious traces. Check your server logs for unusual HTTP requests to Server Function endpoints, unexpected process spawning, or unusual network activity. If you're seriously concerned, consider engaging a security professional for a thorough audit.
"Should I disclose this vulnerability to my users?"
If you're running a service that was vulnerable and you've patched it, transparency is usually the right call. You don't need to provide exploit details, but letting users know you've addressed a security issue builds trust.
"Will this happen again?"
Probably. Server Components are relatively new technology, and as they get more usage and scrutiny, more vulnerabilities may be discovered. This is normal for evolving software. The key is having processes in place to respond quickly when issues arise.
Credit Where It's Due
Huge thanks to Lachlan Davidson for discovering this vulnerability and reporting it responsibly through Meta's Bug Bounty program. Responsible disclosure gives developers time to patch before exploits go public, and that likely prevented real-world attacks.
Also, props to the React team, framework maintainers, and hosting providers for coordinating a rapid response. Getting patches out across the entire ecosystem in four days is no small feat.
Take Action Now
I know I've said this multiple times throughout this article, but it bears repeating: if you're using React Server Components in production, stop reading and go patch your apps.
Here's your action checklist:
- Identify which apps in your organization use Server Components
- Update to the patched versions (see instructions above)
- Test your apps to ensure the updates don't break anything
- Deploy to production immediately
- Verify the patched versions are running in production
- Document this incident and your response for future reference
This isn't a "fix it when you get around to it" issue. This is a critical, actively exploitable vulnerability with a CVSS score of 10.0. Treat it with the urgency it deserves.
Additional Resources
- Official React Blog - For the original disclosure and updates
- Next.js Blog - For Next.js-specific guidance
- GitHub Security Advisories - Track CVEs and security updates
Stay safe out there, and make sure your teams know how to respond when critical vulnerabilities like this are disclosed. The faster you can patch, the safer your users are.