(I'm not affiliated with React nor Meta, just posting this here as I don't think I've seen the team send notes to this list.)
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components https://www.cve.org/CVERecord?id=CVE-2025-55182 A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. The commit including the fix is here: https://github.com/facebook/react/pull/35277 "Further details of the vulnerability will be provided after the rollout of the fix is complete."
