Blog / Changelog

Summary of CVE-2025-55182

Authors

2 min read

Link to headingSummary

A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478). Under certain conditions, specially crafted requests could lead to unintended remote code execution. Projects hosted on Vercel benefit from platform-level protections that already block malicious request patterns associated with this issue. However, we still strongly recommend upgrading to a patched version regardless of your hosting provider.

Link to headingImpact

Applications using affected versions of the React Server Components implementation may process untrusted input in a way that allows an attacker to perform remote code execution. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following packages: :

  • react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, and 19.2.0)

  • react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)

  • react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)

These packages are included in the following frameworks and bundlers:

  • Next.js using App Router with versions ≥14.3.0-canary.77, ≥15 and ≥16

  • Other frameworks and plugins that embed or depend on React Server Components implementation (e.g., Vite, Parcel, React Router, RedwoodSDK, Waku)

Link to headingResolution

Updated releases of React and affected downstream frameworks include hardened handling of user inputs to prevent unintended behavior. All users should upgrade to a patched version as soon as possible. If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release.

Link to headingFixed in:

  • React: 19.0.1, 19.1.2, 19.2.1

  • Next.js: 15.0.5, 15.1.9, 15.3.6, 15.4.8, 15.5.7, 16.0.7

  • Next.js releases in progress: 15.2.6

Frameworks and bundlers using the aforementioned packages should install the latest versions provided by their respective maintainers.

Link to headingCredit

Thanks to Lachlan Davidson for identifying and responsibly reporting the vulnerability, and the Meta Security and React team for their partnership.

Link to headingReferences

Ready to deploy? Start building with a free account. Speak to an expert for your Pro or Enterprise needs.

Start Deploying
Talk to an Expert

Explore Vercel Enterprise with an interactive product tour, trial, or a personalized demo.

Explore Enterprise