React security advisory (AV25-834)

Serial number: AV25-834
Date: December 15, 2025

On December 11, 2025, React Foundation published a security advisory to address vulnerabilities in the following products:

• CVE-2025-55183 and CVE-2025-55184 affecting:
  • React-server-dom-webpack – versions 19.0.0 to 19.0.1, 19.1.0 to 19.1.2 and 19.2.0 to 9.2.1
  • React-server-dom-parcel – versions 19.0.0 to 19.0.1, 19.1.0 to 19.1.2 and 19.2.0 to 9.2.1
  • React-server-dom-turbopack – versions 19.0.0 to 19.0.1, 19.1.0 to 19.1.2 and 19.2.0 to 9.2.1
• CVE-2025-67779 affecting:
  • React-server-dom-webpack – versions 19.0.2, 19.1.3 and 19.2.2
  • React-server-dom-parcel – 19.0.2, 19.1.3 and 19.2.2
  • React-server-dom-turbopack – versions 19.0.2, 19.1.3 and 19.2.2

Libraries and frameworks bundling react-server implementations are likely to be affected. Common examples include:

• Next.js
• Vite RSC plugin
• Parcel RSC plugin
• React Router RSC preview
• RedwoodSDK
• Waku

The Cyber Centre encourages users and administrators to review the web link provided and apply the necessary updates.

• Denial of Service and Source Code Exposure in React Server Components
• Security Bulletin: CVE-2025-55184 and CVE-2025-55183