Mitigating the Critical Security Vulnerability in React Server Components

An unauthenticated remote code execution vulnerability in React Server Components was disclosed as CVE-2025-55182. You may also learn more about the vulnerability in this react.dev blogpost. This vulnerability only affects Expo apps in specific circumstances and the actions to take to mitigate it are slightly different as it compares to web apps, so read on to learn more.

First, you only need to take action if you're using experimental RSC or Server Functions support in production. API routes are not affected and the impact on EAS Hosting was already mitigated through a WAF rule.

Expo projects can be vulnerable through a dependency on react-server-dom-webpack 19.0, 19.1.0, 19.1.1, or 19.2.0. Projects that do not use RSC typically won't even have a dependency on the vulnerable package.

To mitigate the vulnerability in your project's dependencies, you need to use a version of react-server-dom-webpack according to the list below:

• react-server-dom-webpack@19.1.2 for SDK 54 (with react 19.1.x)
• react-server-dom-webpack@19.0.1 for SDK 53 (with react 19.0.x)
• react-server-dom-webpack@19.2.1 for canary (with react 19.2.x)

You can install the appropriate version manually to mitigate the issue. If you're using npm: Due to peer dependencies errors, you may have to add react-server-dom-webpack to your package.json:overrides.

Additionally, we have published patches for Expo SDK 53, 54 and canary that restrict our peer dependency ranges to only allow the patched react-server-dom-webpack versions mentioned above. Earlier versions of Expo are not affected.

These patches were published as listed below:

• commit for sdk-54 released with jest-expo@54.0.14 and expo-router@6.0.17
• commit for sdk-53 released with jest-expo@53.0.11 and expo-router@5.1.8
• commit for canary released with jest-expo@55.0.0-canary-20251205-756eb7a and expo-router@7.0.0-canary-20251205-756eb7a

Additionally, we have updated our version recommendations in the expo CLI. Running expo install --check will recommend updates to react-server-dom-webpack, if you directly depend on an affected version. The React team has deprecated the affected versions, which means your package manager should additionally flag these versions, if they're still installed in your project.

After upgrading, verify that your project depends on the expected version of react-server-dom-webpack using npm explain react-server-dom-webpack / yarn why react-server-dom-webpack and similar, depending on your package manager.

Keep in mind that specific versions of react-native require specific versions of react, to prevent a runtime version mismatch. Always follow the react (and react-dom) version recommendations from expo install --check to prevent mismatches.

If you're using a monorepo and must update react, SDK 54 allows you to keep your Expo app on the correct react version by enabling expo.experiments.autolinkingModuleResolution: true in your app.json. This helps if other web apps or projects must be updated to a newer version of react while keeping your React Native / Expo app on an older version.
The react package itself does not contain RSC functionality and is hence not affected by this vulnerability.

• only experimental RSC or Server Functions are affected
• EAS Hosting impact was mitigated
• you can update just the affected dependency manually or install the releases of expo-router and jest-expo according to the table above
• specific versions of react-native require specific versions of react
• in a monorepo, you may use a different version of react for an Expo app and other web projects