A remote code execution vulnerability (CVE-2025-55182) has been discovered in React Server Components packages versions 19.0.0 through 19.2.0, affecting Next.js 15.x and 16.x applications using the App Router. The vulnerability impacts react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. Patches are available in React 19.0.1, 19.1.2, 19.2.1 and Next.js versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. Users should upgrade immediately to patched versions.
Sort: