GHSA-fmh4-wr37-44fp: React Server Components are Vulnerable to RCE
(updated )
@vitejs/plugin-rsc vendors react-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository’s advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
References
- github.com/advisories/GHSA-fmh4-wr37-44fp
- github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
- github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
- github.com/vitejs/vite-plugin-react
- github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp
- react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Code Behaviors & Features
Detect and mitigate GHSA-fmh4-wr37-44fp with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →