Critical Security Vulnerability in React Server Components

Immediate Action Required: If you are using React Server Components with Next.js, React Router, Waku, or other affected frameworks, you must update your dependencies immediately.

On December 3, 2025, the React team announced a critical security vulnerability affecting React Server Components (RSC). This vulnerability allows for Remote Code Execution (RCE) on the server, posing a severe risk to applications utilizing RSC.

The Vulnerability

The issue lies in how React deserializes requests sent to Server Functions (also known as Server Actions). An unauthenticated attacker can craft a malicious HTTP request to any Server Function endpoint. When React processes this request, it can be tricked into executing arbitrary code on the server.

This is a classic deserialization vulnerability, but its impact is magnified by the direct exposure of server-side logic in RSC architectures.

Affected Frameworks

The following frameworks and bundlers are known to be affected as they rely on the vulnerable React packages:

  • Next.js
  • React Router
  • Waku
  • RedwoodJS (via rwsdk)
  • Parcel (@parcel/rsc)
  • Vite (@vitejs/plugin-rsc)

How to Fix

The React team and framework maintainers have released patched versions. You need to upgrade your framework and React dependencies to the latest secure versions.

Next.js Users

Update to the latest patch release of Next.js 15 or 16 immediately.

npm install next@latest react@latest react-dom@latest
# or
bun update next react react-dom

Other Frameworks

Check the official advisory and your framework's release notes for the specific version numbers that include the fix.

Mitigation

If you cannot upgrade immediately, some hosting providers have implemented temporary mitigations at the infrastructure level to block malicious requests. However, you should not rely on these mitigations as a permanent solution. Patching your application is the only way to ensure complete safety.

Conclusion

Security is a shared responsibility. While RSC offers a powerful new paradigm for building web applications, it also introduces new attack vectors. Stay vigilant, keep your dependencies up to date, and monitor official channels for security advisories.

For more details, read the full advisory on the React Blog.