This post provides Sourcegraph code search queries and Deep Search instructions to immediately find and track all projects affected by the CVE-2025-55182 remote code execution flaw in React Server Components.
A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components was reported by Lachlan Davidson on November 29th, 2025.
This severe flaw allows for unauthenticated remote code execution. It exploits how React decodes payloads sent to React Server Function endpoints.
Affected Versions and Scope:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopackTo ensure comprehensive coverage, it is critical to check not only for direct usage of the vulnerable packages, but also for dependent frameworks and libraries that incorporate them.
Run these queries on Sourcegraph to quickly identify which projects directly or indirectly depend on vulnerable versions of React Server Components. The following links display results on Sourcegraph's public code search across 1.1 million open source repositories.
Direct dependencies that have vulnerable versions of React Server Components:
Note: Searching strictly for exact version numbers can miss dependencies that appear to be upgradable but are pinned to vulnerable versions in yarn.lock or package-lock.json. We target ^ and ~ prefixes to catch repositories that haven't explicitly closed the door on the vulnerability.
You can utilize either our CLI or our web app. We've linked to our public code search above; feel free to modify those URLs or use the following syntax:
context: global file:package.json "react-server-dom-(webpack|parcel|turbopack)" :\s* "[~^]?(19\.0(\.0)?|19\.1\.[01]|19\.2\.0)" patterntype:regexp
context: global file:package.json "next" :\s* "[~^]?(15\.0\.[0-4]|15\.1\.[0-8]|15\.2\.[0-5]|15\.3\.[0-5]|15\.4\.[0-7]|15\.5\.[0-6]|16\.0\.[0-6])" patterntype:regexp
context: global file:package.json ( "react-router" OR "@remix-run/router" ) AND "react-server-dom-(webpack|parcel|turbopack)" :\s* "[~^]?(19\.0(\.0)?|19\.1\.[01]|19\.2\.0)" patterntype:regexp
Deep Search is an agentic code search tool designed to understand and execute complex natural language queries. It conducts exhaustive searches to deliver comprehensive answers and facilitates more in-depth investigations through follow-up questions. For example, you can use natural language to search for vulnerabilities, such as CVE-2025-55182.
The vulnerability, identified as CVE-2025-55182, affects any application that supports React Server Components.
The affected package versions are 19.0, 19.1.0, 19.1.1, and 19.2.0. Please check all github.com/sourcegraph/* repositories for use of these vulnerable versions.
Stay tuned for Part 2, which covers fixing and tracking your vulnerable code.
Schedule a conversation to see how Sourcegraph can help you and your team find code, make large-scale changes, and track insights across codebases of any scale and with any number of code hosts.
Special thanks to Tino Wening, Stephanie Jarmak, and Dan Adler for their valuable feedback on this post.
With Sourcegraph, the code understanding platform for enterprise.
Schedule a demo