Headline
GHSA-fv66-9v8q-g76r: React Server Components are Vulnerable to RCE
Impact
There is an unauthenticated remote code execution vulnerability in React Server Components.
We recommend upgrading immediately.
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
Patches
A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.
If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
References
See the blog post for more information and upgrade instructions.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-55182
React Server Components are Vulnerable to RCE
Critical severity GitHub Reviewed Published Dec 3, 2025 in facebook/react • Updated Dec 3, 2025
Package
npm react-server-dom-parcel (npm)
Affected versions
= 19.0
>= 19.1.0, < 19.1.2
= 19.2.0
Patched versions
19.0.1
19.1.2
19.2.1
npm react-server-dom-turbopack (npm)
= 19.0
>= 19.1.0, < 19.1.2
= 19.2.0
npm react-server-dom-webpack (npm)
= 19.0
>= 19.1.0, < 19.1.2
= 19.2.0
Description
Published to the GitHub Advisory Database
Dec 3, 2025
EPSS score
Related news
A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in