All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Critical RCE Vulnerability in React Server Components Affects React 19.x and Next.js 15.x/16.x

By

rayhaanj

5mo ago· 1 min readenCode
Bagel score 46 of 100
46/100
Doughy
Bagelometer

Needed another two minutes in the oven. A half-baked bagel.

Score46TypenewsSentimentnegative

Summary

A critical security vulnerability (CVE-2025-5518) affects React packages versions 19.0.0-19.2.0 and Next.js 15.x/16.x using App Router, allowing Remote Code Execution (RCE) in React Server Components. The vulnerability has been fixed in React 19.0.1, 19.1.2, 19.2.1 and multiple Next.js versions including 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, and experimental canary releases. Users on affected versions should upgrade immediately to patched versions.

Key quotes

· 4 pulled
A vulnerability affects certain React packages for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router.
The issue is tracked upstream as CVE-2025-5518.
Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+
The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77.
Snippet from the RSS feed
A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the A...

You might also wanna read

Critical Remote Code Execution Vulnerability Discovered in Widely Used protobuf.js Library

A critical remote code execution vulnerability has been discovered in protobuf.js, a widely used JavaScript implementation of Google's Proto

bleepingcomputer.com·1mo ago

Security Vulnerability in iTerm2: 'cat readme.txt' Command Can Enable Arbitrary Code Execution

The article reveals a security vulnerability in iTerm2 where the seemingly harmless command 'cat readme.txt' can be exploited for arbitrary

blog.calif.io·1mo ago

Windows Defender Vulnerability Allows Malicious File Persistence Through Cloud Tag Detection

The article describes a GitHub repository called 'RedSun' that documents a Windows Defender vulnerability. The vulnerability involves Window

github.com·1mo ago

PHP 8 Sandbox Escape Exploit: Use-After-Free Vulnerability Bypasses disable_functions

This article describes a PHP 8 sandbox escape proof-of-concept (PoC) that exploits a use-after-free vulnerability to bypass disable_function

github.com·2mo ago

Roundcube Webmail Vulnerability Allows Email Tracking Despite Image Blocking

Roundcube Webmail versions before 1.5.13 and 1.6.13 contain a security vulnerability (CVE-2026-25916) that allows attackers to bypass remote

nullcathedral.com·3mo ago

Critical Chromium Browser Vulnerability: DoS Attack via document.title API Exploitation

The article details 'Brash,' a critical vulnerability in Chromium-based browsers that allows denial-of-service attacks by exploiting the doc

github.com·7mo ago