{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-041.pdf"
    },
    "title": "Critical Security Vulnerability in React Server Components",
    "serial_number": "2025-041",
    "publish_date": "04-12-2025 13:50:51",
    "description": "On December 3, 2025, the React Team publicly disclosed a critical security vulnerability affecting React Server Components (RSC) and related packages. The vulnerability allows for unauthenticated remote code execution (RCE) via maliciously crafted HTTP requests.<br>\nIt is recommended to update all affected component packages and any frameworks that integrate them.<br>\n",
    "url_title": "2025-041",
    "content_markdown": "---    \ntitle: 'Critical Security Vulnerability in\u00a0React\u00a0Server\u00a0Components'\nnumber: '2025-041'\nversion: '1.0'\noriginal_date: '2025-12-03'\ndate: '2025-12-04'\n---\n\n_History:_\n\n* _04/12/2025 --- v1.0 -- Initial publication_\n\n# Summary \n\nOn December 3, 2025, the React Team publicly disclosed a critical security vulnerability affecting React Server Components (RSC) and related packages. The vulnerability allows for unauthenticated remote code execution (RCE) via maliciously crafted HTTP requests [1].\n\nIt is recommended to update all affected component packages and any frameworks that integrate them.\n\n# Technical Details\n\nThe vulnerability **CVE-2025-55182**, with a CVSS score of 10, is due to unsafe deserialisation of payloads from HTTP requests to React Server Function endpoints. It allows for unauthenticated remote code execution (RCE) via maliciously crafted HTTP requests [1].\n \nReact Server Functions allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client [1].\n\n# Affected Products\n\nThe vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following React Server Components packages:\n\n- react-server-dom-webpack\n- react-server-dom-parcel\n- react-server-dom-turbopack\n\nAny framework or tool that integrates React Server Components using the affected packages may inherit the vulnerability.\n\nConfirmed affected ecosystem components include:\n\n- **Next.js App Router** (multiple impacted versions)\n- **RSC plugin for Vite**\n- **RSC plugin for Parcel**\n- **React Router\u2019s unstable RSC APIs**\n- **Redwood SDK**\n- **Waku**\n- Any third-party project bundling vulnerable `react-server-dom-*` packages\n\n# Recommendations\n\nIt is recommended updating affected React Server Components packages to a fixed version (19.0.1, 19.1.2, or 19.2.1) as soon as possible.\n\nDepending on the affected ecosystem in use, the React Team provided additional instruction [1].\n\n# References\n\n[1] <https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components>",
    "content_html": "<p><em>History:</em></p><ul><li><em>04/12/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 3, 2025, the React Team publicly disclosed a critical security vulnerability affecting React Server Components (RSC) and related packages. The vulnerability allows for unauthenticated remote code execution (RCE) via maliciously crafted HTTP requests [1].</p><p>It is recommended to update all affected component packages and any frameworks that integrate them.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2025-55182</strong>, with a CVSS score of 10, is due to unsafe deserialisation of payloads from HTTP requests to React Server Function endpoints. It allows for unauthenticated remote code execution (RCE) via maliciously crafted HTTP requests [1].</p><p>React Server Functions allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client [1].</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following React Server Components packages:</p><ul><li>react-server-dom-webpack</li><li>react-server-dom-parcel</li><li>react-server-dom-turbopack</li></ul><p>Any framework or tool that integrates React Server Components using the affected packages may inherit the vulnerability.</p><p>Confirmed affected ecosystem components include:</p><ul><li><strong>Next.js App Router</strong> (multiple impacted versions)</li><li><strong>RSC plugin for Vite</strong></li><li><strong>RSC plugin for Parcel</strong></li><li><strong>React Router\u2019s unstable RSC APIs</strong></li><li><strong>Redwood SDK</strong></li><li><strong>Waku</strong></li><li>Any third-party project bundling vulnerable <code>react-server-dom-*</code> packages</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended updating affected React Server Components packages to a fixed version (19.0.1, 19.1.2, or 19.2.1) as soon as possible.</p><p>Depending on the affected ecosystem in use, the React Team provided additional instruction [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\">https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}