Skip to content

add update instructions #8172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rickhanlonii merged 1 commit into from
Dec 3, 2025
Merged

add update instructions #8172

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 110 additions & 2 deletions ...t/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,19 +44,127 @@ Some React frameworks and bundlers depended on, had peer dependencies for, or in

We will update this post with upgrade instructions on how to upgrade as they become available.

### Hosting Provider Mitigations {/*hosting-provider-mitigations*/}

We have worked with a number of hosting providers to apply temporary mitigations.

You should not depend on these to secure your app, and still update immediately.

### Vulnerability overview {/*vulnerability-overview*/}

[React Server Functions](https://react.dev/reference/rsc/server-functions) allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client.

An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.

### Timeline {/*timeline*/}
## Update Instructions {/*update-instructions*/}

### Next.js {/*update-next-js*/}

All users should upgrade to the latest patched version in their release line:

```bash
npm install next@15.0.5 // for 15.0.x
npm install next@15.1.9 // for 15.1.x
npm install next@15.2.6 // for 15.2.x
npm install next@15.3.6 // for 15.3.x
npm install next@15.4.8 // for 15.4.x
npm install next@15.5.7 // for 15.5.x
npm install next@16.0.7 // for 16.0.x
```

If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:

```bash
npm install next@14
```

See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.

### React Router {/*update-react-router*/}

If you are using React Router's unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:

```bash
npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest
```

### Expo {/*expo*/}

Upgrade to the latest `react-server-dom-webpack`:

```bash
npm install react@latest react-dom@latest react-server-dom-webpack@latest
```

### Redwood SDK {/*update-redwood-sdk*/}

Ensure you are on rwsdk>=1.0.0-alpha.0

For the latest beta version:

```bash
npm install rwsdk@latest
```

Upgrade to the latest `react-server-dom-webpack`:

```bash
npm install react@latest react-dom@latest react-server-dom-webpack@latest
```

See [Redwood docs](https://docs.rwsdk.com/migrating/) for more migration instructions.

### Waku {/*update-waku*/}

Upgrade to the latest `react-server-dom-webpack`:

```bash
npm install react@latest react-dom@latest react-server-dom-webpack@latest
```

### `@vitejs/plugin-rsc` {/*vitejs-plugin-rsc*/}

Upgrade to the latest RSC plugin:

```bash
npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
```

### `react-server-dom-parcel` {/*update-react-server-dom-parcel*/}

Update to the latest version:

```bash
npm install react@latest react-dom@latest react-server-dom-parcel@latest
```

### `react-server-dom-turbopack` {/*update-react-server-dom-turbopack*/}

Update to the latest version:

```bash
npm install react@latest react-dom@latest react-server-dom-turbopack@latest
```

### `react-server-dom-webpack` {/*update-react-server-dom-webpack*/}

Update to the latest version:

```bash
npm install react@latest react-dom@latest react-server-dom-webpack@latest
```

## Timeline {/*timeline*/}

* **November 29th**: Lachlan Davidson reported the security vulnerability via [Meta Bug Bounty](https://bugbounty.meta.com/).
* **November 30th**: Meta security researchers confirmed and began working with the React team on a fix.
* **December 1st**: A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
* **December 3rd**: The fix was published to npm and the publicly disclosed as CVE-2025-55182.

### Attribution {/*attribution*/}
## Attribution {/*attribution*/}

Thank you to [Lachlan Davidson](https://github.com/lachlan2k) for discovering, reporting, and working to help fix this vulnerability.