"Payload has transformed the way our clients manage content. It's an indispensable tool for any modern agency."
Get the resources you need to start building today
Microsoft chose Payload to tell the world about AI.
A critical vulnerability has been disclosed in React Server Components, impacting React 19 and frameworks built on top of it, including Next.js.
A critical vulnerability has been disclosed in React Server Components (CVE-2025-55182), impacting React 19 and frameworks built on top of it, including Next.js (CVE-2025-66478).
This issue allows unauthenticated attackers to craft malicious HTTP requests that could lead to remote code execution via insecure deserialization in the RSC “Flight” protocol. Please refer to the CVEs above for full technical details.
While this is not a Payload vulnerability, it may affect any Payload project running on the affected versions of React or Next.js. We recommend upgrading your application dependencies as soon as possible.
To patch:
- Update React to 19.2.1
- Update Next.js to 15.4.8
Then run your package manager (e.g., npm install) to apply the updates.
For more details, including the related fix in the Payload repo, see:
https://github.com/payloadcms/payload/pull/14807.
If you have any questions or need guidance applying the updates, you can reach out to the Payload team on Discord.