URGENT: Security Alert CVE-2025-55182 (React2Shell)
This vulnerability is present in the following versions of React Server and Next.js:
react-server-dom*: 19.0.0, 19.1.0, 19.1.1, and 19.2.0
Next.js: 14.3.0-canary, 15.x, and 16.x (App Router)
Any framework or library bundling the React Server Components implementation is likely affected.
This includes, but is not limited to:
Next.js
Vite RSC plugin
Parcel RSC plugin
React Router RSC preview
RedwoodSDK
Waku
The patched React Server versions are:
19.0.1
19.1.2
19.2.1
The patched Next.js versions are:
14.3.0-canary.88
15.0.5
15.1.9
15.2.6
15.3.6
15.4.8
15.5.7
16.0.7
