React Now: Why a Major Security Vulnerability in React Server Components is a Severe Threat

If you haven’t already heard the React shot heard ‘round the world, Carapace Security’s Innovation Lead Lachlan Davidson discovered a critical vulnerability in components of the popular and widely used React library. It allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

How back is it? Using the Common Vulnerability Scoring System (CVSS), it was disclosed as CVE-2025-55182 and is rated CVSS 10.0. That’s as severe as it gets. 

Where is it, exactly? According to sources, the vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

While it was first detected on November 29th, it wasn’t publicly disclosed until December 3rd. That’s when the AWS threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. 

For detailed upgrade and mitigation instructions, read the React blog and check back regularly for additional updates.

Don’t panic, but act quickly

A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. Even if your app doesn’t implement any React Server Function endpoints, it might still be vulnerable if it supports React Server Components. The bottom line is that you should upgrade immediately.

A key point: if your app’s React code does not use a server – or a framework, bundler, or bundler plugin that supports React Server Components – it’s not impacted by this vulnerability. That said, certain React frameworks and bundlers might have dependencies or include vulnerable React packages, such as:

• Next.js (versions 14.x canary, 15.x, 16.x)
• React Router (RSC preview versions)
• Waku (minimal React framework)
• @vitejs/plugin-rsc 
• @parcel/rsc 
• RedwoodJS (rwsdk) 

According to the React blog, there are temporary hosting provider mitigations in place, but you shouldn’t rely on these to performantly secure your app. So roll with that update. 

Vercel, the company behind the incredibly popular Next.js, is also taking proactive steps. Any new deployment containing a vulnerable version of the framework will automatically fail to deploy on its platform. 

What the heck happened?

As Lachlan said in his recent LinkedIn post, there's more nitty-gritty to unpack with all of this, and we’re sure to get more details regarding the vulnerability after the rollout is considered complete and the dust settles.

Currently, here’s the gist of it: As we know, React Server Functions allow a client to call a function on a server, providing integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React then translates requests into HTTP requests, which are forwarded to a server, moved into a function call, and returned to the client.

According to The Hacker News, the real problem stems from insecure deserialization in the library's RSC Flight protocol, which React uses to enable that server/client communication. With this vulnerability, an unauthenticated remote attacker could fashion a malicious HTTP request or arbitrary commands to any Server Function endpoint. When deserialized by React, it could enable remote code execution on the server. And that’s where the trouble starts. 

Why it matters

React has been a game-changer in the digital landscape, specifically through the rise of headless CMSes and Jamstack architectures. There are a lot of fuzzy numbers out there, but most reputable estimates suggest that React is used by millions of websites globally. W3Techs reports that React is used by 7.7% of all websites whose JavaScript library is known, which translates to 6.2% of all websites.

That’s not the lion’s share, but when you consider the notable enterprises utilizing it within their workloads, the scope feels even bigger. Major brands like Facebook, Netflix, Airbnb, Instagram, WhatsApp, and Shopify utilize React or React Native in various parts of their platforms, demonstrating its widespread adoption in both web and mobile development.

Security is job zero for everyone, and no system or framework will ever be beyond a vulnerability at some point in its lifecycle. And the more dependent we are on open source libraries and composable, interoperable architectures, the more likely it is that we’ll see a growing surface area of failure points.

From a “fix” perspective, transparency is key. We need to shorten the response time and the gap to action, so stakeholders can “react” as quickly as possible and minimize the impact. Obviously, having performant packages in place to upgrade was a key part of the solution, but I think it was smart to enable the hosting resources as a temporary measure of defense. 

As we learn more, we'll dig into it. For now, the best advice? Stay vigilant. And stay updated, my friends…

Upcoming Events

CMS Kickoff 2026

January 13-14, 2026 – St. Petersburg, FL

Meet industry leaders at our fourth annual CMS Kickoff – the industry's premier global CMS event. Similar to a traditional kickoff, we reflect on recent trends and share stories from the frontlines. Additionally, we will delve into the current happenings and shed light on the future. Prepare for an unparalleled in-person CMS conference experience that will equip you to move things forward. This is an exclusive event – space is limited, so secure your tickets today.