The React Team:
On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.
The security fix was implemented in a pull request to patch FlightReplyServer. The security changes are mixed with other refactored code, but the core fix is:
// Vulnerable (v19.0.0)
return moduleExports[metadata[NAME]];
// Fixed (v19.2.1)
if (hasOwnProperty.call(moduleExports, metadata[NAME]))
return moduleExports[metadata[NAME]];__proto__ strikes again. Upgrade now if you’re affected.
A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.
If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.
Leave a Reply