Critical Security Vulnerability in React Server Components (CVE-2025-55182) Allows Remote Code Execution
By
nomaxx117
Sesame, salt, and substance. A flagship bake.
Summary
The React team disclosed a critical security vulnerability (CVE-2025-55182) rated CVSS 10.0 that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. The vulnerability affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, and even apps without React Server Function endpoints may be vulnerable if they support React Server Components. Immediate action is required, and a fix has been introduced.
Key quotes
· 5 pulledOn November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React React Server Components.
This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
Immediate Action Required
You might also wanna read
Microsoft patches high-severity SharePoint RCE vulnerability CVE-2026-45659
Microsoft has patched a high-severity remote code execution vulnerability (CVE-2026-45659) in SharePoint that affects SharePoint Server Subs
helpnetsecurity.com·4d ago
VS Code Remote-SSH Vulnerability Enables Lateral Movement from Developer Machines to Cloud Servers
A critical vulnerability in Visual Studio Code's Remote-SSH extension creates a post-compromise attack path enabling threat actors to pivot
cybersecuritynews.com·2d ago