DEV Community

Cover image for ⚠️ Critical RCE Vulnerability in React Server Components (CVSS 10.0)
Vladimir Kukresh
Vladimir Kukresh

Posted on

⚠️ Critical RCE Vulnerability in React Server Components (CVSS 10.0)

#webdev #react #nextjs #vulnerabilities

A critical remote-code-execution (RCE) vulnerability has been disclosed in React Server Components (RSC), affecting multiple React versions and all frameworks that rely on RSC — including Next.js App Router.
Because the flaw enables unauthenticated arbitrary code execution on the server, the severity is rated CVSS 10.0 (maximum).

This post summarizes what is affected, the actual risk, and the steps
required to secure your applications.

Critical RCE Vulnerability in React Server Components (CVSS 10.0)

🚨 Why this vulnerability matters

React Server Components introduce a hybrid rendering model where the
server returns component trees to the client.
The disclosed vulnerability allows malicious actors to abuse this
protocol and inject payloads that get executed server-side, leading to:

  • Full server compromise
  • Access to environment variables
  • Supply-chain risk via poisoned responses
  • Lateral movement inside the infrastructure

This is one of the most severe RSC-related issues ever published.

⚠️ Affected technologies

React Server Components packages

Status Versions
Vulnerable 19.0, 19.1.0, 19.1.1, 19.2.0
Patched 19.0.1, 19.1.2, 19.2.1+

Next.js with App Router

Next.js uses RSC under the hood, making it affected by default when
using the /app directory.

Vulnerable versions

Next.js version
15.x
16.x (various releases)

Patched versions

Secure version
15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7

🔧 Required actions (immediate)

Upgrade React RSC packages to one of the secure versions:

  • 19.0.1, 19.1.2, 19.2.1, or later.
  • Upgrade Next.js to a patched version listed above.
  • Rebuild and redeploy all affected applications after updating dependencies.
  • Rotate secrets/credentials if your service was deployed with vulnerable versions.

(Recommended) Review logs for suspicious RSC request patterns.

🔍 How to check if your project is affected

For React projects

Run:

npm ls react-server react-server-dom-webpack
Enter fullscreen mode Exit fullscreen mode

Or inspect package.json / pnpm-lock.yaml for versions listed above.

For Next.js

Run:

npx next info
Enter fullscreen mode Exit fullscreen mode

Check whether:

  • You're using the App Router (/app directory)
  • Your Next.js version is in the vulnerable range

📌 Applicability

This advisory applies to:

  • Projects built on React that use RSC
  • Projects built on Next.js App Router
  • Any backend that processes RSC protocol traffic

It does not impact traditional React applications that do not use
RSC.

🔥 Final notes

This vulnerability is a rare case where React's server-side
infrastructure becomes an attack vector with zero-authentication, remote
exploitability, and full server compromise potential.
If your team maintains applications using RSC or Next.js App Router,
Treat these updates as urgent.

Stay safe and patch early.

React Team “Critical Security Vulnerability in React Server Components (CVE-2025-55182)”
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Top comments (0)