All Research
Critical Vulnerabilities in React and Next.js
r00t |
vulnerability react nextjs rce patching
A critical remote code execution vulnerability (CVE-2025-55182) affects React 19 when using React Server Components (RSC) or “Server Functions.” This is not merely a React version issue - vulnerable react-server-dom-* packages may exist as transitive dependencies.
Affected Packages & Vulnerable Versions
| Package | Vulnerable Versions | Fixed Versions |
|---|---|---|
react-server-dom-webpack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
react-server-dom-parcel | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
react-server-dom-turbopack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
Patching Instructions
npm Installation
npm install [email protected] [email protected] [email protected]
yarn Installation
yarn add [email protected] [email protected] [email protected]
pnpm Installation
pnpm add [email protected] [email protected] [email protected]
Verification Steps
Check your dependency tree with:
npm ls react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack --all
Dependency Override Methods
npm (package.json)
{
"overrides": {
"react-server-dom-webpack": "19.2.1",
"react-server-dom-parcel": "19.2.1",
"react-server-dom-turbopack": "19.2.1"
}
}
yarn (resolutions)
{
"resolutions": {
"react-server-dom-webpack": "19.2.1",
"react-server-dom-parcel": "19.2.1",
"react-server-dom-turbopack": "19.2.1"
}
}
pnpm (overrides)
{
"pnpm": {
"overrides": {
"react-server-dom-webpack": "19.2.1",
"react-server-dom-parcel": "19.2.1",
"react-server-dom-turbopack": "19.2.1"
}
}
}
Risk Assessment
- Impact: Unauthenticated remote code execution in server context
- Scope: RSC-enabled frameworks (particularly Next.js App Router)
- Detection: Attack payloads may appear as normal traffic to RSC endpoints
Immediate Actions Required
- Patch React Server Components packages to fixed versions
- Update framework (especially Next.js App Router)
- Validate installed dependency tree via package manager
- Implement WAF/edge protections and monitoring
References
- Next.js Security Advisory (GHSA-9qr9-h5gf-34mp)
- Cloudflare WAF rules for React vulnerability
Key Takeaway
This is not “just a React version check” - teams must audit the complete dependency tree for vulnerable react-server-dom-* packages, particularly when frameworks manage these as transitive dependencies.