React disclosed a CVSS 10.0 RCE in React Server Components and is advising users to upgrade affected packages and frameworks to patched versions now.

React disclosed a critical CVSS 10.0 remote code execution vulnerability (CVE-2025-55182) in React Server Components. The flaw affects how React decodes payloads sent to React Server Function endpoints, allowing attackers to craft malicious HTTP requests that result in RCE when deserialized. The vulnerability affects React versions 19.0, 19.1.0, 19.1.1, and 19.2.0. Even applications not intentionally exposing React Server Function endpoints may be vulnerable if their stack supports React Server Components through frameworks, bundlers, or plugins. Users are advised to immediately upgrade to patched versions.