React Server Components deserialization vulnerability

Added: 12/11/2025

Background

React is a Javascript library for building user interfaces. React Server Components are React components designed for running on web servers.

Problem

A deserialization vulnerability in React Server Components allows a remote attacker to execute arbitrary commands by sending specially crafted serialized data in a POST request.

Resolution

Upgrade to React 19.0.1, 19.1.2, or 19.2.1 or higher, or to NextJS 12.3.5, 13.5.9, 14.2.25, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7 or higher.

References

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Back to exploit index