Serial number: AV25-804
Date: December 3, 2025
On December 3, 2025, React Foundation published a security advisory to address a critical vulnerability in the following products:
- CVE-2025-55182 affecting:
- React-server-dom-webpack – versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0
- React-server-dom-parcel – versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0
- React-server-dom-turbopack – versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0
Libraries and frameworks bundling react-server implementations are likely to be affected. Common examples include:
- Next.js
- Vite RSC plugin
- Parcel RSC plugin
- React Router RSC preview
- RedwoodSDK
- Waku
No proof of exploitation has been recorded yet but multiple Proofs of Concept (PoC) have been released. Due to the CVSS score of 10.0 rating and network accessibility, this vulnerability must be treated as easily exploitable, and mitigations should be applied as soon as possible.
The Cyber Centre encourages users and administrators to review the web link provided and apply the necessary updates.