Kevin BeaumontDec 3

There is an unauthenticated remote code execution vulnerability in React Server Components.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by this vulnerability.

CVE-2025-55182

Mastodon server not impacted btw.

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Critical Security Vulnerability in React Server Components – React

The library for web and native user interfaces

Show threadKevin BeaumontDec 3
Vulnerability hype train derail time - these vulns only apply to React 19 (released within the past year) and only when using a specific new feature, React Server.
Show threadKevin BeaumontDec 4

The React vulns have the usual panicked nonsense going on - people posting fake PoCs (all of them are fake), people spraying fake PoCs over the whole internet, people posting screenshots of fake PoC activity thinking it real, doomsday scenario posts etc etc.

It’s actually a niche scenario bug for vast majority of orgs, just stay calm and patch if you are actually impacted (spoiler: you probably aren’t).

Show threadmschade_
@GossiTheDog did Qualys really use the Fake POC to show that they reconstructed the vulnerability? https://threatprotect.qualys.com/2025/12/04/react-server-components-rsc-remote-code-execution-vulnerabilities/
Dec 5 at 1:11pmWeb