fix: cve-2025-55182 critical rce vulnerability

[PierreCrb]

🔒 Security Fix: Patch for CVE-2025-55182 (React Server Components RCE)

This PR updates the project's React dependencies to address CVE-2025-55182, a critical pre-authentication remote code execution vulnerability affecting React Server Components.

The vulnerability impacts React due to unsafe deserialization of payloads sent to Server Function endpoints.
Even projects that do not explicitly use Server Functions may still be exposed if they support React Server Components.

✔️ Changes

• react-server-dom-parcel: 19.0.0 → 19.2.1

These versions include the official security patch released by the React team on December 3, 2025.

✔️ Why this is important

The vulnerability is rated CVSS 10.0 (Critical) and allows an unauthenticated attacker to achieve remote code execution on servers using affected React packages.
Upgrading to the patched versions fully mitigates the issue.

Feel free to let me know if any adjustments or additional updates are needed.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2460057

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[remix-cla-bot]

Hi @PierreCrb,

Welcome, and thank you for contributing to React Router!

Before we consider your pull request, we ask that you sign our Contributor License Agreement (CLA). We require this only once.

You may review the CLA and sign it by adding your name to contributors.yml.

Once the CLA is signed, the CLA Signed label will be added to the pull request.

If you have already signed the CLA and received this response in error, or if you have any questions, please contact us at [email protected].

Thanks!

- The Remix team

[libnewton]

AI slop patch

[PierreCrb]

AI slop patch

ahahha i'm not IA bro sry

https://x.com/0xPierre_com/status/1996294839831326867

[timdorr]

Thanks, but these are all internal testing tools.

Users of React Router should upgrade the appropriate plugins for their bundler and upgrade react/react-dom. This is all possible without us publishing a new version.

[mischelsmithg]

@timdorr please clarify if you could, are you saying the react-router package is not vulnerable to CVE-2025-55182? https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components indicates this is and I would presume the solution would be to upgrade the library dependencies like react-server-dom-parcelto 19.0.1/19.1.2/19.2.1 which this pull request proposed upgrading it to 19.2.1. GHSA-fv66-9v8q-g76r
Why would releasing a new version of react-router with updating package for react-server-dom-parcelto not be the solution?

[timdorr]

The vulnerability doesn't come from this library (or next, waku, redwood, etc), but from the react-server-dom-* series of packages. Those are used by this library, but aren't part of the library codebase. Our version selectors already allow for installing fixed versions of the affected packages, so we don't need to do anything on our end for folks to upgrade.

You'll note that the mitigation instructions for React Router on the React blog don't actually involve upgrading any of our packages: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-react-router