[Bug]: remote code execution vulnerability in bundled react-server-dom-webpack

[jenseng]

Version

System: *
Browsers: *

Details

As of #6880, modern-js uses a vendored version of react-server-dom-webpack (19.0.0). Today (2025-12-03) Facebook disclosed a remote code execution vulnerability in this version. See:

• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://www.cve.org/CVERecord?id=CVE-2025-55182

The React team has not (yet) published specifics about how the exploit works, but given that @modern-js/render uses react-server-dom-webpack to render RSCs, it seems highly likely that it is vulnerable

Reproduce link

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Reproduce Steps

See https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components