A serious security vulnerability has been identified in React Server Components, allowing unauthenticated remote code execution. This flaw, reported by Lachlan Davidson on November 29, 2025, involves how React decodes payloads sent to Server Function endpoints. Even if an app doesn't explicitly use these endpoints, it can still be at risk if it supports React Server Components. The vulnerability is logged as CVE-2025-55182 and carries a CVSS score of 10.0, indicating its severity. To mitigate this risk, users must upgrade their React packages immediately. The affected versions include 19.0, 19.1.0, 19.1.1, and 19.2.0, with fixed versions available in 19.0.1, 19.1.2, and 19.2.1. Various React frameworks and bundlers, such as Next.js, React Router, and Waku, are also impacted. Specific upgrade instructions are provided for each framework to ensure users can quickly patch their applications. Temporary mitigations have been implemented by some hosting providers, but these should not replace the urgent need for users to update their software. The timeline highlights a swift response from Meta's security team, confirming the vulnerability the day after it was reported and rolling out a fix by December 3. Acknowledgment goes to Lachlan Davidson for bringing this issue to light and assisting with the resolution. Further details about the vulnerability will follow after the fix is fully rolled out.