A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.
The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0.
It allows « unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints, » the React Team said in
