Critical Security Vulnerability in React Server Components
The React team disclosed a critical vulnerability that allows remote code execution in apps using Server Components. Learn how to protect yourself.
On December 3, 2025, the React team disclosed a critical security vulnerability affecting applications using React Server Components (RSC). This is one of the most serious vulnerabilities ever found in the React ecosystem.
The Problem
An unauthenticated attacker can craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution (RCE) on the server.
This means an attacker could potentially:
- Execute arbitrary commands on your server
- Access sensitive data
- Compromise the entire application
Are You Affected?
Your application is NOT affected if:
- Your React code doesn't use a server
- You don't use a framework or bundler that supports React Server Components
Your application IS affected if you use:
- Next.js
- React Router (with RSC)
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- Redwood SDK (rwsdk)
Immediate Action
Update to one of the fixed versions:
- React 19.0.1
- React 19.1.2
- React 19.2.1
For Next.js
npm install next@latest
For React Router
npm install react-router@latest
Important Links
Don't wait! If you use React Server Components, update now. This vulnerability is critical and can completely compromise your server.