React Server Components is a feature of the React library that allows for server-side rendering. This vulnerability exists in how React decodes payloads sent to React Server Function endpoints, allowing an attacker to execute arbitrary code remotely without authentication or user interaction.
You're affected if you use A pre-authentication remote code execution vulnerability exists. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.
Upgrade to any of the fixed versions immediately:
- React 19.0.1
- React 19.1.2
- React 19.2.1
- Maven: Update your pom.xml dependency version
- npm: Run npm install react@19.0.1
- yarn: Run yarn add react@19.0.1
Immediate mitigations:
- Restrict network access to your React app (firewall it from the public internet)
- Audit admin account activity for suspicious access patterns
- Monitor for unauthorized token creation