TLDR: On December 3, 2025, React disclosed CVE-2025-55182, a critical remote code execution vulnerability (CVSS 10) in React Server Components due to unsafe deserialization. Affects React versions 19.0-19.2.0; fixed in 19.0.1, 19.1.2, 19.2.1. Next.js versions 15.0.5-15.5.7 and 16.0.7 also need updates. Vulnerability allows remote exploitation without authentication.
Critical Vulnerability in React and Next.js (CVE-2025-55182)

