[Updated] Mitigating Multiple Security Vulnerabilities in React Server Components

UPDATED December 11 and December 12, 2025: Three new vulnerabilities (CVE-2025-55184, CVE-2025-55183, and CVE-2025-67779) were disclosed on December 11 affecting React Server Components. We have released additional patches to address these issues:

• expo-router@6.0.19 and jest-expo@54.0.16 for SDK 54
• expo-router@5.1.10 and jest-expo@53.0.13 for SDK 53
• expo-router@7.0.0-canary-20251211-7da85ea and jest-expo@55.0.0-canary-20251211-7da85ea for canary

Learn more in the react.dev blogpost.

Follow the updated mitigation steps below, which now include newer react-server-dom-webpack versions to address the total of four vulnerabilities.

Previously, on December 3, an unauthenticated remote code execution vulnerability in React Server Components was disclosed as CVE-2025-55182. You may learn more about the vulnerability in this react.dev blogpost.

First, you only need to take action if you're using experimental RSC or Server Functions support. If you use Expo only for client-side Android, iOS, and web, then you are not affected. API routes are not affected.

Expo projects can be vulnerable through a dependency on react-server-dom-webpack 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1. Projects that do not use RSC typically won't even have a dependency on the vulnerable package.

To mitigate the vulnerabilities in your project's dependencies, you need to use a version of react-server-dom-webpack according to the list below:

• react-server-dom-webpack@19.1.4 for SDK 54 (with react 19.1.x)
• react-server-dom-webpack@19.0.3 for SDK 53 (with react 19.0.x)
• react-server-dom-webpack@19.2.3 for canary (with react 19.2.x)

You can install the appropriate version manually to mitigate the issue. If you're using npm: Due to peer dependencies errors, you may have to add react-server-dom-webpack to your package.json:overrides.

We have published patches for Expo SDK 53, 54 and canary that restrict our peer dependency ranges to only allow the patched react-server-dom-webpack versions mentioned above. Earlier versions of Expo are not affected.

These patches were published as listed below:

• commit for sdk-54 released with jest-expo@54.0.16 and expo-router@6.0.19
• commit for sdk-53 released with jest-expo@53.0.13 and expo-router@5.1.10
• commit for canary released with jest-expo@55.0.0-canary-20251212-acb11f2 and expo-router@7.0.0-canary-20251212-acb11f2

Additionally, we have updated our version recommendations in the expo CLI. Running expo install --check will recommend updates to react-server-dom-webpack, if you directly depend on an affected version. The React team has deprecated the affected versions, which means your package manager should additionally flag these versions, if they're still installed in your project.

After upgrading, verify that your project depends on the expected version of react-server-dom-webpack using npm explain react-server-dom-webpack / yarn why react-server-dom-webpack and similar, depending on your package manager.

Keep in mind that specific versions of react-native require specific versions of react, to prevent a runtime version mismatch. Always follow the react (and react-dom) version recommendations from expo install --check to prevent mismatches.

If you're using a monorepo and must update react, SDK 54 allows you to keep your Expo app on the correct react version by enabling expo.experiments.autolinkingModuleResolution: true in your app.json. This helps if other web apps or projects must be updated to a newer version of react while keeping your React Native / Expo app on an older version.
The react package itself does not contain RSC functionality and is hence not affected by these vulnerabilities.

• Only experimental RSC and Server Functions are affected. Apps that use Expo only for client-side Android, iOS, and web are not affected.
• you can update just the affected dependency manually or install the releases of expo-router and jest-expo according to the table above
• specific versions of react-native require specific versions of react
• in a monorepo, you may use a different version of react for an Expo app and other web projects