Recently, a critical security vulnerability was discovered in React 19, and it created massive concern in the frontend community. Many developers panicked — especially those using Next.js — because no one knew whether their app was affected.
This article breaks down what happened, why it was dangerous, and which setups are actually safe.
What Exactly Happened ?
React 19 introduced a new system for React Server Components (RSC). This system sends special data streams from the server to the browser. This data describes how to build the UI.
Hackers discovered that: They could inject malicious commands into this stream. The browser could interpret those commands. This allowed remote code execution (called React2Shell).
Link 1 — https://www.cve.org/CVERecord?id=CVE-2025-55182
Link 2 — https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
CVE
CVE (Common Vulnerabilities and Exposures) is a global database of security vulnerabilities for all software and hardware, not just React.
Become a member
In short: React 19 RSC protocol could be hacked to execute commands.
What Are React Server Components (RSC)?
Just imagine:
Normal React components run in the browser
RSC run on the server and send the result to the browser
React 19 introduced a new RSC protocol with new serialization and payload formats. This new system is where the vulnerability was found.
Who Is Affected?
Affected:
Anyone using React 19 or React Canary versions (Canary: think like a beta version)
Frameworks forcibly enabling React 19 features (e.g Next JS)
Safe:
Next.js 13 and Next.js 14 (both use React 18 for app router)
Anyone using React 18
Why Next.js Is Safe ?
Next.js 13 and 14 use (app router):
Pages Router → Next.js own SSR (no RSC)
App Router → React 18 RSC only (old stable version)
Note — For older versions, Next.js (< 13)used their own system to run server-side code.
Next.js 15 and the React 19 Issue
If you or your team moves to Next.js 15 and uses App Router + RSC:
Upgrade immediately to a patched version (see versions listed in the advisory) — e.g. 15.0.5, 15.1.9, etc…
Do not assume that default or “safe by default” — if you have RSC enabled, you were exposed.
Official Link — https://nextjs.org/blog/CVE-2025-66478
Summary
React 19’s Server Components vulnerability was serious, but most apps are safe if you’re on React 18 or Next.js 13/14. Teams using Next.js 15 + App Router + RSC must upgrade to the patched versions immediately. Always keep an eye on CVEs and framework updates — new features are exciting, but security comes first.
