Critical Security Vulnerability in React Server Components

A critical unauthenticated remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) has been disclosed in React Server Components, prompting urgent updates across the ecosystem. The flaw allows attackers to exploit a decoding error in React Server Function endpoints, potentially leading to remote code execution on servers. Affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, with Next.js versions 15.x, 16.x, and 14.3.0-canary.77+ also impacted. React has released patches in versions 19.0.1, 19.1.2, and 19.2.1, and users are urged to upgrade immediately. Many frameworks and bundlers, such as Next.js and React Router, are affected due to their dependency on vulnerable packages. Hosting providers have applied temporary mitigations, but these are not substitutes for upgrading. The fixes were published to npm on December 3, 2025, with increased adoption of RSC in production stacks leading to widespread updates. Socket customers can check for vulnerabilities on the Dependencies page, with CVE-based alerts updating as new advisories are published.