This alert is relevant to all Australian businesses and organisations.
This alert contains a combination of simple and moderately complex technical advice, intended for business owners and technical IT support services.
Background
ASD’s ACSC is aware of a critical vulnerability in React Server Components, which is used extensively in modern web applications.
CVE-2025-55182 enables an attacker to achieve unauthenticated Remote Code Execution (RCE) in vulnerable versions of the following packages:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Mitigation advice
Australian organisations should review their networks for vulnerable instances of these packages and upgrade to fixed versions as outlined here: React security blog.
Where to get help
Organisations that have been impacted, suspect impact or require advice and assistance can contact us via 1300 CYBER1 (1300 292 371).