Security Research

Remote Code Execution Security Bug in React Server Components Patched

A React Server Function vulnerability has been patched. Please update to the latest React, Next, React Router, Vite, etc.

profile image
Jayson DeLancey
linkedin logo
profile image
Diptendu Kar
linkedin logo
December 3rd, 2025
Share
x logo facebook logo linkedin logo copy icon

A security advisory disclosure reported by the React team today details a Remote Code Execution (RCE) vulnerability, CVE-2025-55182, reported by Lachlan Davidson. Here are the key points to determine if you are affected and how Semgrep Supply Chain can help verify exposure.

Key Facts

  • Three packages that allow unauthenticated Remote Code Execution (RCE) of React Server Functions have been patched.

  • A second CVE-2025-66478 had been submitted specifically for the Next dependency but all downstream frameworks that depend on these components are impacted including but not limited to: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and RedwoodJS (rwsdk). As part of the disclosure, React has provided Update Instructions.

  • Hosting providers including Cloudflare, Vercel, and Railway have firewall rules in place that prevent this vulnerability from being exploited.

  • Recommendation is to update to the latest patched versions for those using React Router’s unstable RSC APIs.

For Our Customers

Semgrep Supply Chain has coverage for these dependencies so a project scan will show if these dependencies are present in your codebase. We’ve also been checking proactively and will reach out individually if we observe usage of affected packages from recent scans.

Affected Packages

If you don't use Semgrep Supply Chain and are using any of these packages (or your dependencies and transitive dependencies do) you should update to the latest.

next@>=14.3.0-canary.77<15.0.5

next@>=15.1.1-canary.0<15.1.9

next@>=15.2.0-canary.0<15.2.6

next@>=15.3.0-canary.0<15.3.6

next@>=15.4.0-canary.0<15.4.8

next@>=15.5.1-canary.0<15.5.7

next@>=16.0.0-canary.0<16.0.7

react-server-dom-parcel@=19.0

react-server-dom-parcel@>=19.1.0<19.1.2

react-server-dom-parcel@=19.2.0

react-server-dom-turbopack@=19.0

react-server-dom-turbopack@>=19.1.0<19.1.2

react-server-dom-turbopack@=19.2.0

react-server-dom-webpack@=19.0

react-server-dom-webpack@>=19.1.0<19.1.2

react-server-dom-webpack@=19.2.0

What is Remote Code Execution (RCE)

Remote Code Execution is a security vulnerability that can be exploited by allowing a malicious user to send inputs into a function that tricks the server into running that code in a protected environment. Specifically, insecure deserialization of HTTP payloads can be abused to execute arbitrary code.

Check back for additional updates on how the vulnerability pattern works.

Recommendations

Follow the Update Instructions provided by React to versions 19.0.1, 19.1.2, or 19.2.1 if you are currently using any impacted packages.

Privacy Policy

About

semgrep logo

Semgrep enables teams to use industry-leading AI-assisted static application security testing (SAST), supply chain dependency scanning (SCA), and secrets detection. The Semgrep AppSec Platform is built for teams that struggle with noise by helping development teams apply secure coding practices.

Dive deeper into Security Research or continue reading our featured posts.

December 2, 2025
Protect Against Open Source Malware Attacks with Semgrep Supply Chain
profile image
Nabeel Saeed
November 11, 2025
Catching IDORs, Broken Authorization, and Other Logic Issues with Semgrep AI-Powered Detection
profile image
Jack Moxon
November 6, 2025
Semgrep Community Edition Fall Release 2025
profile image profile image
Jaweed Metz Milan Williams

Find and fix the issues that matter before build time

Semgrep helps organizations shift left without the developer productivity tax.
Get started in minutes Book a demo