A serious remote code execution (RCE) vulnerability affects specific versions of React and frameworks relying on it, particularly Next.js versions 15.x and 16.x that utilize the App Router. The vulnerability is tracked as CVE-2025-55182, impacting React packages 19.0.0 through 19.2.0. It also extends to experimental canary releases starting with 14.3.0-canary.77. Users should be aware that the affected packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. To address the vulnerability, patched versions for React are 19.0.1, 19.1.2, and 19.2.1. For Next.js users, the fixed versions are 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, and canary releases 15.6.0-canary.58 and 16.1.0-canary.12. It’s essential for users on any of the 14.3 canary builds to downgrade to either a stable 14.x version or to 14.3.0-canary.76 to avoid exposure to this vulnerability. All users running stable versions of Next.js 15.x or 16.x should upgrade to a patched version without delay. The nature of this vulnerability allows for significant security risks, making it critical for developers and organizations using these frameworks to take immediate action.