Critical vulnerability in React Server Components (CVE-2025-55182)

A serious vulnerability in React Server Components (CVE-2025-55182) has been disclosed responsibly. This issue affects React 19 and major frameworks built on it, including Next.js, which is tracked as CVE-2025-66478. The vulnerability has a CVSS score of 10.0, meaning it allows attackers to possibly influence server-side execution and, under certain conditions, achieve remote code execution (RCE) on systems that are not patched.

Next.js Users:
All releases between Next.js 15 and Next.js 16 are vulnerable. We strongly recommend that you upgrade immediately to the patched versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. These updates include a stronger implementation of React Server Components that completely fixes the vulnerability.

Other Frameworks Using Server Components:
If your framework depends on React 19’s Server Components, you need to update React to one of the patched versions: 19.0.1, 19.1.2, or 19.2.1.

Important Notices
This is a serious security issue (RCE risk). Delaying updates may leave your application open to attacks.
Applications using Pages Router, Next.js 13.x, and Next.js 14.x stable are not affected.
The vulnerability impacts only environments that use React Server Components with untrusted request handling.
All developers should check their deployments and ensure they are running one of the fixed versions.

Techseya Security Team Notice
If your application is covered under the Techseya maintenance service, our Security Department will automatically apply the updates needed to keep your application safe. Clients not under maintenance should contact us urgently for help with patching.