Critical Remote Code Execution Vulnerability in React Server Components (CVE-2025-55182)

Published on 04-Dec-2025 16:00:00

Immediate Actions

Patch immediately: Upgrade React Server Components packages to patched releases (19.0.1, 19.1.2, 19.2.1 or later) and update frameworks (Next.js and others) to their fixed releases. Treat every public-facing app using React 19 RSC as at-risk until upgraded (Next.js)

If you cannot patch immediately: Enable/ensure a WAF with virtual patch rules for this RCE (Cloudflare, Fastly, Fastly NGWAF, and others have emergency protections available). Proxying traffic through a WAF with the emergency rule gives immediate mitigation.

Restrict access to server-function endpoints where practical (allow list management IPs, internal networks only).

Audit projects/CI for the vulnerable packages (scan your monorepos, build images, container images and package-locks for react-server-dom-*). Treat scaffolded apps (create-next-app, templates) as potentially vulnerable.

Download the full Advisory as PDF

References

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

https://www.tenable.com/blog/react2shell-cve-2025-55182-react-server-components-rce

https://nextjs.org/blog/CVE-2025-66478

https://blog.cloudflare.com/waf-rules-react-vulnerability/

Critical Remote Code Execution Vulnerability in React Server Components (CVE-2025-55182)

Immediate Actions

References

Similar Posts