Find Affected Code: React Server Components Critical Security Vulnerability (CVE-2025-55182)
What is CVE-2025-55182?
A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components was reported by Lachlan Davidson on November 29th, 2025.
This severe flaw allows for unauthenticated remote code execution. It exploits how React decodes payloads sent to React Server Function endpoints.
Affected Versions and Scope:
- Any application supporting React Server Components is potentially vulnerable, even if it does not explicitly use React Server Function endpoints.
- The vulnerability affects the following packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
Find everywhere React Server Components are used across all your code
To ensure comprehensive coverage, it is critical to check not only for direct usage of the vulnerable packages, but also for dependent frameworks and libraries that incorporate them.
Run these queries on Sourcegraph to quickly identify which projects directly or indirectly depend on vulnerable versions of React Server Components. The following links display results on Sourcegraph’s public code search across 1.1 million open source repositories.
Direct dependencies that have vulnerable versions of React Server Components:
Note: Searching strictly for exact version numbers can miss dependencies that appear to be upgradable but are pinned to vulnerable versions in yarn.lock or package-lock.json. We target ^ and ~ prefixes to catch repositories that haven't explicitly closed the door on the vulnerability.
Search across your organization's private code
Code Search
You can utilize either our CLI or our web app. We've linked to our public code search above; feel free to modify those URLs or use the following syntax:
react-server-dom (webpack, parcel, and turbopack)
context:global file:package.json "react-server-dom-(webpack|parcel|turbopack)":\s*"[~^]?(19\.0(\.0)?|19\.1\.[01]|19\.2\.0)"
Next.js
context:global file:package.json "next":\s*"[~^]?(15\.0\.[0-4]|15\.1\.[0-8]|15\.2\.[0-5]|15\.3\.[0-5]|15\.4\.[0-7]|15\.5\.[0-6]|16\.0\.[0-6])"
React Router
context:global file:package.json ("react-router" OR "@remix-run/router") AND "react-server-dom-(webpack|parcel|turbopack)":\s*"[~^]?(19\.0(\.0)?|19\.1\.[01]|19\.2\.0)"
Deep Search
Deep Search is an agentic code search tool designed to understand and execute complex natural language queries. It conducts exhaustive searches to deliver comprehensive answers and facilitates more in-depth investigations through follow-up questions. For example, you can use natural language to search for vulnerabilities, such as CVE-2025-55182.
The vulnerability, identified as CVE-2025-55182, affects any application that supports React Server Components.
The affected package versions are 19.0, 19.1.0, 19.1.1, and 19.2.0. Please check all github.com/sourcegraph/* repositories for use of these vulnerable versions.
Stay tuned for Part 2, which covers fixing and tracking your vulnerable code.
Getting started with Sourcegraph
Schedule a conversation to see how Sourcegraph can help you and your team find code, make large-scale changes, and track insights across codebases of any scale and with any number of code hosts.
.avif)
