A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Vulnerable code in react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages unsafely deserializes (unsafe deserialization, CWE-502) data transmitted in HTTP requests directed to Server Function endpoints. An unauthenticated attacker can craft a malicious payload in an HTTP request that, after deserialization on the server side, will lead to arbitrary code execution. The vulnerability requires no user interaction or special privileges, and its scope includes breaking isolation boundaries (Scope: Changed).
An attacker can gain full control over the server — steal sensitive data, modify or destroy system resources, and cause service unavailability. Due to the lack of authentication requirement, the vulnerability poses a direct threat to every publicly accessible application based on React Server Components in vulnerable versions.
Immediately update the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages to a version containing the security patch, in accordance with the official announcement published by React at https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components. Until the patch is deployed, consider restricting access to Server Function endpoints at the firewall or reverse proxy level.
React Server Components in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Affects projects based on Vercel Next.js and Facebook React using these packages.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HFacebook React
APPFacebook19.0.019.1.019.1.119.2.0Vercel Next.js
APPVercel14.3.015.6.016.0.015.3.0 – 15.3.6 (bez)15.4.0 – 15.4.8 (bez)15.5.0 – 15.5.7 (bez)16.0.0 – 16.0.7 (bez)15.2.0 – 15.2.6 (bez)15.1.0 – 15.1.9 (bez)15.0.0 – 15.0.5 (bez)
CISA KEV — detailsi
- Vendori
- Meta
- Producti
- React Server Components
- Added to KEVi
- December 5, 2025
- Remediation deadline (US Federal)i
- December 12, 2025(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.
Related vulnerabilities
Pominięcie autoryzacji w middleware Next.js przez nagłówek x-middleware-subrequest
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2....
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2....
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2....
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2...