Aptible Status

Resolved: This incident has been resolved.

Investigating: We are aware of the recently disclosed critical vulnerability CVE-2025-55182 (https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) affecting React Server Components, which could allow remote code execution under certain conditions. This vulnerability affects certain React 19.x and frameworks that implement React Server Components, including Next.js.

Aptible Platform Impact: Aptible has reviewed all infrastructure components that we manage and has confirmed that all are unaffected by this vulnerability.

Customer Application Impact: If you are running applications on Aptible that use React Server Components, you may be affected. We have seen active exploitation of this vulnerability, and we recommend upgrading to the patched versions immediately.

Specifically, applications using:

• React 19.0.0, 19.1.0, 19.1.1, or 19.2.0 with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel
• Next.js versions 14.3.0-canary.77 and all subsequent 14.3.x canary releases, 15.0.0, 15.0.1, 15.0.2, 15.0.3, 15.0.4, 15.1.0, 15.1.1, 15.1.2, 15.1.3, 15.1.4, 15.1.5, 15.1.6, 15.1.7, 15.1.8, 15.2.0, 15.2.1, 15.2.2, 15.2.3, 15.2.4, 15.2.5, 15.3.0, 15.3.1, 15.3.2, 15.3.3, 15.3.4, 15.3.5, 15.4.0, 15.4.1, 15.4.2, 15.4.3, 15.4.4, 15.4.5, 15.4.6, 15.4.7, 15.5.0, 15.5.1, 15.5.2, 15.5.3, 15.5.4, 15.5.5, 15.5.6, 15.6.0-canary.0 through 15.6.0-canary.57, 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.0.4, 16.0.5, 16.0.6
• Other frameworks implementing React Server Components including Vite, Parcel, React Router, RedwoodSDK, Waku

Additional Resources: React Security Advisory: https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r Next.js Security Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp

We will continue to update this incident page as more information becomes available.