What happened (short)
On December 3, 2025 the React team disclosed a critical vulnerability (tracked as CVE-2025-55182) in React Server Components' handling of incoming payloads for Server Function / Flight requests. The flaw involves unsafe deserialization of untrusted data, which under certain conditions lets an attacker achieve unauthenticated remote code execution (RCE). The React team, framework maintainers (Next.js), cloud/CDN/WAF providers, and other ecosystem partners responded with patches and mitigations.
Affected packages and versions
The vulnerability is present in the following React Server Components packages:
react-server-dom-parcel— 19.0.0, 19.1.0, 19.1.1, 19.2.0.react-server-dom-webpack— 19.0.0, 19.1.0, 19.1.1, 19.2.0.react-server-dom-turbopack— 19.0.0, 19.1.0, 19.1.1, 19.2.0.
These packages are used directly by some projects and are also embedded inside frameworks and bundlers that support React Server Components. The React advisory and the NVD list these exact package versions.
Frameworks & bundlers likely impacted
Frameworks and tools that embed or depend on these RSC implementations may inherit the vulnerability. Notable examples called out in official advisories include:
- Next.js (App Router / RSC support) — Next.js published its own advisory tracking the issue as CVE-2025-66478 and lists affected Next.js version ranges.
- Tools and plugins that expose RSC support (community Vite RSC plugins, Parcel integrations, Turbopack, certain routing/framework plugins) may also be affected; follow upstream advisories for each project.
Important: even if your app does not define Server Function endpoints, an app that supports React Server Components may still be exposed, depending on how the framework/bundler handles Flight/Server Function requests. Check your framework’s advisory.
What the vulnerability allows
- Unauthenticated remote code execution (RCE) via unsafe deserialization of Flight / Server Function payloads.
- Because this is pre-authentication RCE, an attacker could potentially execute arbitrary code on the server running the vulnerable component, leading to data exposure, backdoors, or full server compromise.
Are there reports of active exploitation?
As of the time of these advisories (December 3, 2025), vendors and major security trackers reported the vulnerability and published patches; there were no widely confirmed public reports of in-the-wild exploitation at publication time, though some unverified reports circulated. Treat the vulnerability as urgent and remediate quickly.
Patched releases / fixed versions
React Server Component packages (fixed):
react-server-dom-parcel:19.0.1, 19.1.2, 19.2.1react-server-dom-webpack:19.0.1, 19.1.2, 19.2.1react-server-dom-turbopack:19.0.1, 19.1.2, 19.2.1 (These package versions include hardened input handling.)
Next.js (examples of fixed versions published by Next.js):
nextpatched releases include 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 (upgrade to a patched release in your version series). See the Next.js advisory for exact affected ranges and fixed releases.
Provider mitigations: Vercel and several large CDN/WAF vendors rolled out mitigations / WAF rules while patches were published; however, provider mitigations are a stopgap — you should update your dependencies.
How to check whether you’re affected (practical steps)
- Check your
package.jsonand lockfile for any of thereact-server-dom-*packages or for Next.js versions in the affected ranges.- Example:
npm ls react-server-dom-webpackoryarn why react-server-dom-webpack
- Example:
- If you use Next.js, check the Next.js advisory page (GHSA) to confirm whether your exact Next.js version is in an affected range — Next.js provides ranges and patched releases.
- If you rely on a framework plugin (Vite, Parcel, Turbopack) check the plugin’s security advisory and update accordingly (many plugin maintainers released advisories and fixed versions).
- When in doubt, scan your repositories with SCA or dependency scanners (Dependabot, Snyk, GitHub Dependabot alerts, or your company’s vulnerability scanner) which will detect these specific CVEs.
Recommended remediation (step-by-step, safest approach)
A. Immediate — apply provider mitigations if available
- If your app is hosted on a platform that published an emergency mitigation (for example, Vercel deployed WAF rules), enable the provider mitigation and plan to update dependencies. Provider mitigations can reduce exposure while you perform upgrades.
B. Upgrade affected packages and frameworks (primary remediation)
- If you depend directly on any
react-server-dom-*package, update to the patched package versions:
# example: upgrade react - server - dom - webpack to patched version
npm install react - server - dom - webpack@19.2.1
# or with yarn
yarn add react - server - dom - webpack@19.2.1
Replace package and version with the matching patched release for your series (19.0.1 / 19.1.2 / 19.2.1 as appropriate).
- If you use Next.js, upgrade to a patched Next.js release that covers your major version (for example, a minimum patched release in the ranges listed in the Next.js advisory). Example:
# example: upgrade to a patched Next.js release(pick the appropriate patched version for your branch)
npm install next @16.0.7
Check the Next.js GHSA to determine the correct patched version for your installed release. Do not blindly jump major versions without testing.
C. Rebuild & test
- After upgrading, perform a clean build, run your test suite, and validate critical paths. RSC and framework upgrades can introduce breaking changes — test thoroughly in staging before rolling to production.
D. If an immediate upgrade is risky
- If you cannot upgrade immediately, apply available provider WAF/edge mitigations, restrict access to Server Function endpoints if feasible, and schedule a tested upgrade window ASAP. Provider mitigations are temporary and not a substitute for installing patched packages.
Post-remediation checks
- Confirm no malicious processes or unexpected deployments exist in your environment. If a public-facing server has been running a vulnerable version for some time, consider performing an incident review or forensic scan.
- Rotate credentials and secrets if there’s any suspicion of compromise.
- Re-enable monitoring and alerting for suspicious activity.
How Themefisher can help
If you don’t have the time or in-house resources to safely apply these upgrades and fully test them, Themefisher offers a Version Upgrade & Security Hardening Service that includes:
- Full dependency & vulnerability audit (checks for CVE-2025-55182 and related advisories).
- Safe upgrades of React / react-server-dom packages and framework packages (Next.js).
- Fixes for breaking changes, automated and manual testing across environments.
- Deployment support and verification on your hosting provider (Vercel, Netlify, Render, self-hosted).
- Post-upgrade security checks and optional monitoring setup.
If you’d like, we can perform an audit and send a prioritized remediation plan. Contact us.
References & official advisories
- React security advisory / blog: Critical Security Vulnerability in React Server Components. (React)
- Next.js GitHub advisory (GHSA / CVE-2025-66478) — Next.js affected ranges and fixed releases. (GitHub)
- Vercel changelog — summary of CVE-2025-55182 and platform mitigations. (Vercel)
- NVD entry for CVE-2025-55182 — technical description and CVSS. (NVD)
Final note
CVE-2025-55182 is a real and serious vulnerability that affects modern React Server Component stacks. Official patches and provider mitigations exist — apply them now. If you need help auditing or upgrading your theme/site/app, Themefisher can handle the upgrade and validation so you can focus on running your business.
