Updated:
Status:
CVEs:
An unauthenticated attacker could send a malicious HTTP request to a React Server Function endpoint to execute code on the system. According to the vendor, any app using React Server Components could be vulnerable even if React Server Function endpoints are not implemented.
Who is affected?
CVE-2025-55182 impacts the following versions of React Server Components:
Note: Apps implemented with vulnerable versions of React Server Components are vulnerable.
Vulnerable components:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Vulnerable versions:
- 19.0 before 19.0.1
- 19.1.0 before 19.1.2
- 19.2.0 before 19.2.1
What can I do?
Customers should upgrade the vulnerable components to a fixed version or higher as soon as possible.
Vulnerable components:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Fixed versions:
- 19.0.1
- 19.1.2
- 19.2.1
Additional information from the vendor can be found at: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities. Details will be provided below.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
