top of page
perceptive_background_267k.jpg

React disclosed a CVSS 10.0 RCE in React Server Components and is advising users to upgrade affected packages and frameworks to patched versions now.

Published:

3 December 2025 at 22:32:56

Alert date:

5 December 2025 at 08:03:23

Source:

socket.dev

Click to open the original link from this advisory

React disclosed a critical CVSS 10.0 remote code execution vulnerability (CVE-2025-55182) in React Server Components. The flaw affects how React decodes payloads sent to React Server Function endpoints, allowing attackers to craft malicious HTTP requests that result in RCE when deserialized. The vulnerability affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Even applications not intentionally exposing React Server Function endpoints may be vulnerable if their stack supports React Server Components through frameworks, bundlers, or plugins. Users are advised to immediately upgrade to patched versions.

Technical details

Mitigation steps:

Affected products:

React Server Components
React

Related links:

https://socket.dev/blog/critical-security-vulnerability-in-react-server-components?utm_medium=feed
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page