Meta warns of critical vulnerability in React Server Components

Meta warns of critical vulnerability in React Server Components

Briefly

"Meta has discovered a critical vulnerability in React Server Components. The vulnerability has been given a maximum score of 10.0 and allows for unauthenticated remote code execution. The company is asking users to immediately update to the patched versions. This concerns CVE-2025-55182, a security vulnerability that allows attackers to execute arbitrary code on vulnerable servers. A malicious party can use a prepared HTTP request to a React Server endpoint to cause code to run on that server."

"It is difficult to say exactly how serious the vulnerability is. Many companies use React Server Components (RSC) or a framework that contains them. Server-side packages may contain the vulnerability, or a server that can process RSC payloads may be running. Anyone running Next.js, for example, should update as soon as possible. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of React Server Components. Not only applications with React Server Function endpoints are vulnerable."

"The vulnerability affects three React packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. But the impact goes further. Popular frameworks and bundlers that rely on these packages are also vulnerable. These include Next.js, React Router, Waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk. For Next.js, versions 15.0 through 16.0 are affected. Users of Next.js 14.3.0-canary.77 or later canary releases should downgrade to the latest stable 14.x release. Next.js 13.x and 14.x stable versions are not vulnerable, nor are Pages Router applications."