Aptible incident

CVE-2025-55182: React server component vulnerability

Notice Resolved View vendor source →

Aptible experienced a notice incident on December 5, 2025 affecting Aptible Deploy, lasting 3d 2h. The incident has been resolved; the full update timeline is below.

Started
Dec 05, 2025, 02:39 PM UTC
Resolved
Dec 08, 2025, 04:52 PM UTC
Duration
3d 2h
Detected by Pingoru
Dec 05, 2025, 02:39 PM UTC

Affected components

Aptible Deploy

Update timeline

  1. investigating Dec 05, 2025, 02:39 PM UTC

    We are aware of the recently disclosed critical vulnerability CVE-2025-55182 (https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) affecting React Server Components, which could allow remote code execution under certain conditions. This vulnerability affects certain React 19.x and frameworks that implement React Server Components, including Next.js. *Aptible Platform Impact:* Aptible has reviewed all infrastructure components that we manage and has confirmed that all are unaffected by this vulnerability. *Customer Application Impact:* If you are running applications on Aptible that use React Server Components, you may be affected. We have seen active exploitation of this vulnerability, and we recommend upgrading to the patched versions immediately. Specifically, applications using: - React 19.0.0, 19.1.0, 19.1.1, or 19.2.0 with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel - Next.js versions 14.3.0-canary.77 and all subsequent 14.3.x canary releases, 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.1.1, 15.1.2, 15.1.3, 15.1.4, 15.1.5, 15.1.6, 15.1.7, 15.1.8, 15.2.0, 15.2.1, 15.2.2, 15.2.3, 15.2.4, 15.2.5, 15.3.0, 15.3.1, 15.3.2, 15.3.3, 15.3.4, 15.3.5, 15.4.0, 15.4.1, 15.4.2, 15.4.3, 15.4.4, 15.4.5, 15.4.6, 15.4.7, 15.5.0, 15.5.1, 15.5.2, 15.5.3, 15.5.4, 15.5.5, 15.5.6, 15.6.0-canary.0 through 15.6.0-canary.57, 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.0.4, 16.0.5, 16.0.6 - Other frameworks implementing React Server Components including Vite, Parcel, React Router, RedwoodSDK, Waku *Additional Resources:* React Security Advisory: https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r Next.js Security Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp We will continue to update this incident page as more information becomes available.

  2. resolved Dec 08, 2025, 04:52 PM UTC

    This incident has been resolved.