React Server Components Remote Code Execution Vulnerability

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The vulnerability is present in the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The issue arises from the unsafe deserialization of payloads from HTTP requests to Server Function endpoints, allowing an unauthenticated attacker to execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected React Server Components package is used.

Remediation

Users should upgrade to React Server Components versions 19.0.1, 19.1.2, or 19.2.1. If using Next.js, upgrade to the latest version in the 15.x or 16.x release lines, depending on the current version. For React Router, upgrade to the latest version of React and React DOM, as well as the latest versions of the React Server DOM packages. Consult the React blog post for specific upgrade instructions for other frameworks and bundlers that may be affected.