React Security: What Happened, What Was Affected, and What Comes Next

In December 2025, React and Vercel disclosed two serious security vulnerabilities related to React Server Components, plus a third issue caused by an incomplete fix.

These issues don’t mean React is unsafe — but they do show that modern React.js apps now run real server logic, and server logic must be treated carefully. Let’s explain everything in plain words so everyone can understand it better.