Today’s Notification:
Remote Code Execution Vulnerability in React Server Components
React is an open-source JavaScript library developed by Meta for building user interfaces. Its “React Server Components” (RSC) architecture allows components to be rendered on the server and serialized for output, transmitted to the client via the “Flight” protocol in a JSON-like streaming format, enabling interactive experiences with zero client-side JavaScript bundle size.
(CVE-2025-55182) and a remote code execution vulnerability in Next.js (CVE-2025-66478) primarily affect the Server Actions feature in react-server-dom-webpack. Due to insufficient security validation when parsing forms submitted by clients, attackers can construct malicious form requests to directly invoke built-in Node.js modules, thereby executing arbitrary system commands, reading or writing arbitrary files, or even fully compromising the server. Additionally, because Next.js versions 15.x and 16.x rely on the flawed React server DOM package when using the App Router, attackers can also inject malicious code to execute remote commands.
Affected Versions:
react-server-dom-parcel: 19.0.0, 19.1.0, 19.1.1, and 19.2.0
react-server-dom-webpack: 19.0.0, 19.1.0, 19.1.1, and 19.2.0
react-server-dom-turbopack: 19.0.0, 19.1.0, 19.1.1, and 19.2.0
Next.js ≥14.3.0-canary.77, ≥15, and ≥16
The official team has released patched versions. For specific upgrade instructions, please refer to the official security advisory:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components