Kevin BeaumontDec 3

There is an unauthenticated remote code execution vulnerability in React Server Components.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by this vulnerability.

CVE-2025-55182

Mastodon server not impacted btw.

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Critical Security Vulnerability in React Server Components – React

The library for web and native user interfaces

Show threadKevin BeaumontDec 3
Vulnerability hype train derail time - these vulns only apply to React 19 (released within the past year) and only when using a specific new feature, React Server.
Show threadCedric
@GossiTheDog With this many sightings (mostly from Bluesky), there is surely at least a bit of hype: https://vulnerability.circl.lu/vuln/CVE-2025-55182#sightings
cvelistv5 - CVE-2025-55182

Vulnerability-Lookup - Fast vulnerability lookup correlation from different sources.

Dec 3 at 8:21pmWeb