top of page

Critical Security Vulnerability in React Server Components

3 december 2025 om 22:32:56

socket.dev

React disclosed a critical CVSS 10.0 remote code execution vulnerability (CVE-2025-55182) in React Server Components. The vulnerability affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0, exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Attackers can craft malicious HTTP requests that result in RCE when deserialized. Applications may be vulnerable even if they don't intentionally expose React Server Function endpoints, as affected packages can be pulled in indirectly through frameworks, bundlers, or plugins. The React team is advising immediate upgrades to patched versions.

Related links:

https://socket.dev/blog/critical-security-vulnerability-in-react-server-components?utm_medium=feedhttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Related CVE's:

CVE-2025-55182

Related threat actors:

No threat actors found in this article

Affected products:

React Server ComponentsReact

IOC's:

No IOCs found in this article

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page