Security update: React Server Components vulnerability patched
We’ve updated our platform to address a critical security vulnerability (CVE-2025-66478) in React Server Components. This vulnerability, rated CVSS 10.0, could allow remote code execution when processing attacker-controlled requests in unpatched environments.
The vulnerability originates in the upstream React implementation (CVE-2025-55182) and affects Next.js applications using the App Router with React Server Components.
What we did
We upgraded our platform dependencies to the patched versions:
- Next.js: Updated from 15.5.4 to 15.5.7
- React: Updated from 19.0.0 to 19.0.1
- React-DOM: Updated from 19.0.0 to 19.0.1
These versions include the hardened React Server Components implementation that resolves the vulnerability.
Impact on Fern users
No action is required from Fern Docs users. The security patch has been applied to all Fern-hosted documentation sites automatically.
For self-hosted deployments, we recommend updating to the latest Fern platform version to ensure you have the security fix.
