{"slug": "react-server-functions-next-js-vulnerability-deno-deploy-users-protected", "title": "React Server Functions / Next.js Vulnerability: Deno Deploy users protected", "summary": "A critical Remote Code Execution (RCE) vulnerability (CVE-2025-55182) was discovered in React Server Functions and Next.js, affecting all versions of React's Server Function protocol and implementations like Next.js App Router. Deno implemented a runtime-level mitigation in Deno Deploy on December 2, 2025, protecting all Deno Deploy users, while all other users must immediately upgrade to patched versions of React or Next.js. A subsequent high-severity Denial-of-Service vulnerability (CVE-2025-55184) was also disclosed, with Deno again applying mitigations for Deno Deploy users.", "body_md": "React Server Functions / Next.js Vulnerability: Deno Deploy users protected\nTL;DR: A critical Remote Code Execution (RCE) vulnerability has been found in React Server Functions and Next.js (CVE-2025-55182). Deno has implemented mitigations in Deno Deploy. Immediate upgrades are required for other users.\nThis is part of coordinated vulnerability disclosure with the Meta Security Team, and the Next.js team at Vercel, regarding a critical severity Remote Code Execution (RCE) vulnerability in React Server Functions.\nUpdate December 11th 2025: A new high severity Denial-of-Serice (DOS) vulnerability was discovered in React Server Functions and Next.js (CVE-2025-55184). Deno has implemented mitigations in Deno Deploy. Immediate upgrades are required for other users. More info.\nOn Saturday, November 29th 2025, a security researcher responsibly disclosed a unauthenticated remote code execution (RCE) vulnerability in React Server Functions to Meta.\nThis vulnerability exists in all versions of React’s “Server Function” protocol released to date (React 19.0, 19.1, and 19.2.0). It allows an attacker to execute arbitrary code on a server that accepts and processes React Server Function requests. The following RSC implementations are known to be vulnerable:\n- All Next.js applications using App Router, on Next 15 or Next 16.\n- Applications using React Router RSC preview\n- Applications built with the Parcel RSC plugin\n- Applications built with the Vite RSC plugin\nOn December 2nd 2025, Deno implemented a runtime level mitigation for this vulnerability in Deno Deploy. Applications deployed to Deno Deploy are thus not vulnerable to this RCE exploit anymore. The mitigation has been applied to both the new Deno Deploy, Deno Deploy Classic, and Deno Deploy subhosting environments.\nAll other users must immediately upgrade their applications to any of the following patched versions of React or Next.js, that contain fixes for this vulnerability:\n- Next.js 16: update\nnext\nto 16.0.7 or later. - Next.js 15: update\nnext\nto 15.5.6 or later (and for older minors you can update to 15.4.6, 15.3.6, 15.2.6, or 15.1.9). - React Router, Parcel RSC, Vite RSC, Waku, and RedwoodSDK: update\nreact-server-dom-webpack\n/react-server-dom-parcel\n/react-server-dom-turbopack\nto 19.2.1 or later (and for older minors you can update to 19.1.2 or 19.0.1).\nIf you are using Deno as your package manager, you can upgrade Next.js by running:\ndeno update next@latest\nTo upgrade the library that implements React Server Functions for React Router, Parcel RSC, or Vite RSC, Waku, or RedwoodSDK, run:\ndeno update react-server-dom-webpack@latest\n# or\ndeno update react-server-dom-parcel@latest\n# or\ndeno update react-server-dom-turbopack@latest\nFor users of Deno Deploy: although a runtime level mitigation has already been applied to all Deno Deploy applications automatically, we still recommend upgrading to the patched versions of Next.js / React as soon as possible, to ensure that your applications remain secure in other deployment environments.\nDue to the nature of this vulnerability, we do not believe that a Web Application Firewall can fully mitigate this issue without false positives. Because of this, we have mitigated the risk for Deno Deploy users using a runtime-level mitigation instead. Nonetheless, we recommend to all users to upgrade to a patched version of the affected libraries for a more comprehensive mitigation. We will share more details about the runtime-level mitigation in a future blog post.\nWe thank the Meta Security Team and the Next.js team at Vercel for their collaboration in responsibly disclosing this vulnerability and coordinating the release of patches and mitigations. Additionally we thank Lachlan Davidson who found and reported this vulnerability for their responsible disclosure.\nIf you have any questions or need assistance, please reach out to us at deploy@deno.com.", "url": "https://wpnews.pro/news/react-server-functions-next-js-vulnerability-deno-deploy-users-protected", "canonical_source": "https://deno.com/blog/react-server-functions-rce", "published_at": "2025-12-03 15:00:00+00:00", "updated_at": "2026-05-22 12:22:48.647461+00:00", "lang": "en", "topics": ["cybersecurity"], "entities": ["React", "Next.js", "Deno Deploy", "Meta", "Vercel", "CVE-2025-55182", "CVE-2025-55184", "React Router"], "alternates": {"html": "https://wpnews.pro/news/react-server-functions-next-js-vulnerability-deno-deploy-users-protected", "markdown": "https://wpnews.pro/news/react-server-functions-next-js-vulnerability-deno-deploy-users-protected.md", "text": "https://wpnews.pro/news/react-server-functions-next-js-vulnerability-deno-deploy-users-protected.txt", "jsonld": "https://wpnews.pro/news/react-server-functions-next-js-vulnerability-deno-deploy-users-protected.jsonld"}}