Overview
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages, as well as all frameworks that support React Server Components, including Next.js 14.3.0-canary.77, 15.x and 16.x using the App Router:
- react-server-dom-parcel,
- react-server-dom-turbopack,
- react-server-dom-webpack.
The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Affected product and versions
You are affected by this vulnerability if your auth0/auth0-react is dependent on React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and Next.js versions 14.3.0-canary.77, 15.x, 16.x.
Recommendations
Upgrade dependent React Server Components to versions 19.0.1, 19.1.2, or 19.2.1. Upgrade Next.js to versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7.
References
https://www.cve.org/CVERecord?id=CVE-2025-55182
Overview
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages, as well as all frameworks that support React Server Components, including Next.js 14.3.0-canary.77, 15.x and 16.x using the App Router:
The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Affected product and versions
You are affected by this vulnerability if your auth0/auth0-react is dependent on React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and Next.js versions 14.3.0-canary.77, 15.x, 16.x.
Recommendations
Upgrade dependent React Server Components to versions 19.0.1, 19.1.2, or 19.2.1. Upgrade Next.js to versions 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7.
References
https://www.cve.org/CVERecord?id=CVE-2025-55182