CERT-EU 2025-12-04

2025-041: Critical Security Vulnerability in React Server Components

Machine-generated analysis · WAYSCloud LLM

React Server Components vulnerability enables unauthenticated remote code execution via HTTP requests. The React Team disclosed this on December 3, 2025.

Context

React Server Components are a React framework feature for server-side rendering. The advisory states that malicious HTTP requests can lead to remote code execution. The vulnerability affects not only React Server Components but also packages and frameworks that integrate them.

Operator considerations

Patch: Update all affected React Server Components and integrating framework packages.

From Computer Emergency Response Team for the EU institutions ↗

On December 3, 2025, the React Team publicly disclosed a critical security vulnerability affecting React Server Components (RSC) and related packages. The vulnerability allows for unauthenticated remote code execution (RCE) via maliciously crafted HTTP requests.

It is recommended to update all affected component packages and any frameworks that integrate them.

Read the full advisory on CERT-EU →