Critical Vulnerabilities in React and Next.js

An attacker could exploit CVE-2025-55182 to perform remote code execution. CVE-2025-55182 affects React and dependent React frameworks such as Next.js.

Threat ID:: CC-4723
Threat Severity:: High
Published:: 4 December 2025 1:43 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

An attacker could exploit CVE-2025-55182 to perform remote code execution. CVE-2025-55182 affects React and dependent React frameworks such as Next.js.

Affected platforms

The following platforms are known to be affected:

React

React Server Components:

react-server-dom-webpack: versions 19.0, 19.1.0, 19.1.1, and 19.2.0
react-server-dom-parcel: versions 19.0, 19.1.0, 19.1.1, and 19.2.0
react-server-dom-turbopack: versions 19.0, 19.1.0, 19.1.1, and 19.2.0

If your JavaScript app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability

The following platforms are also known to be affected:

Some React frameworks and bundlers depend on, have peer dependencies for, or include the vulnerable React packages. The following React frameworks and bundlers are known to be affected:

Next.js
React Router
Waku
@parcel/rsc
@vitejs/plugin-rsc
RedwoodSDK

Threat details

CVE-2025-55182 Under Active Exploitation

Security researchers have reported observed exploitation of CVE-2025-55182 in the wild.

The NHS England National CSOC is aware that several functional proof-of-concept exploits exist for CVE-2025-55182 and assesses that continued successful exploitation in the wild is highly likely.

Introduction

React has released a security update to address a critical severity vulnerability in React Server Components. JavaScript applications and frameworks that support React Server Components are also affected. React Server Components allow web application clients to call a function on the React server, translating the HTTP requests into function calls and returning the requested data to the client.

Vulnerability Details

CVE-2025-55182 is an "unauthenticated remote code execution (RCE)" vulnerability with a CVSSv3 score of 10.0.

A remote, unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialised by React, could allow the attacker to execute arbitrary code on the server.

Note: CVE-2025-66478 has been issued by Vercel (developers of Next.js). CVE-2025-66478 is a duplicate of CVE-2025-55182.

Threat updates

Date	Update
5 Dec 2025	Active exploitation of CVE-2025-55182 observed

Remediation advice

Affected organisations must review React's Critical Security Vulnerability in React Server Components advisory and apply the relevant updates as soon as possible.

Remediation steps

Type	Step
Patch	Required: Patch React Server Components Affected organisations must update react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to a fixed version, which are: 19.0.1 or above 19.1.2 or above 19.2.1 or above Updating the affected packages can be completed with the following commands: react-server-dom-webpack: npm install react@latest react-dom@latest react-server-dom-webpack@latest react-server-dom-parcel: npm install react@latest react-dom@latest react-server-dom-parcel@latest react-server-dom-turbopack: npm install react@latest react-dom@latest react-server-dom-turbopack@latest https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Patch	Required: Patch Frameworks and Applications Using React Server Components Affected organisations must review their networks for React frameworks and applications that support React Server Components, and update them to the latest fixed version. https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Type

Step

Patch

Required: Patch React Server Components

Affected organisations must update react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to a fixed version, which are:

19.0.1 or above
19.1.2 or above
19.2.1 or above

Updating the affected packages can be completed with the following commands:

react-server-dom-webpack:
- npm install react@latest react-dom@latest react-server-dom-webpack@latest
react-server-dom-parcel:
- npm install react@latest react-dom@latest react-server-dom-parcel@latest
react-server-dom-turbopack:
- npm install react@latest react-dom@latest react-server-dom-turbopack@latest

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Patch

Required: Patch Frameworks and Applications Using React Server Components

Affected organisations must review their networks for React frameworks and applications that support React Server Components, and update them to the latest fixed version.

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Definitive source of threat updates

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

CVE Vulnerabilities

Status Published

CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Status Rejected

CVE-2025-66478

This CVE is a duplicate of CVE-2025-55182.

Last edited: 5 December 2025 12:53 pm