diff --git a/package.json b/package.json
index c2a84b1ea2..657be88775 100644
--- a/package.json
+++ b/package.json
@@ -35,7 +35,7 @@
"classnames": "^2.2.6",
"debounce": "^1.2.1",
"github-slugger": "^1.3.0",
- "next": "15.1.0",
+ "next": "15.1.9",
"next-remote-watch": "^1.0.0",
"parse-numeric-range": "^1.2.0",
"react": "^19.0.0",
diff --git a/src/components/MDX/Sandpack/template.ts b/src/components/MDX/Sandpack/template.ts
index ed594887bd..fa8c9e4865 100644
--- a/src/components/MDX/Sandpack/template.ts
+++ b/src/components/MDX/Sandpack/template.ts
@@ -35,8 +35,8 @@ root.render(
eject: 'react-scripts eject',
},
dependencies: {
- react: '^19.2.0',
- 'react-dom': '^19.2.0',
+ react: '^19.2.1',
+ 'react-dom': '^19.2.1',
'react-scripts': '^5.0.0',
},
},
diff --git a/src/components/MDX/SandpackWithHTMLOutput.tsx b/src/components/MDX/SandpackWithHTMLOutput.tsx
index 49e980d324..51d06beaf1 100644
--- a/src/components/MDX/SandpackWithHTMLOutput.tsx
+++ b/src/components/MDX/SandpackWithHTMLOutput.tsx
@@ -56,8 +56,8 @@ export default function formatHTML(markup) {
const packageJSON = `
{
"dependencies": {
- "react": "^19.2.0",
- "react-dom": "^19.2.0",
+ "react": "^19.2.1",
+ "react-dom": "^19.2.1",
"react-scripts": "^5.0.0",
"html-format": "^1.1.2"
},
diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
new file mode 100644
index 0000000000..aff8248ca8
--- /dev/null
+++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
@@ -0,0 +1,172 @@
+---
+title: "Critical Security Vulnerability in React Server Components"
+author: The React Team
+date: 2025/12/03
+description: There is an unauthenticated remote code execution vulnerability in React Server Components. A fix has been published in versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately.
+
+---
+
+December 3, 2025 by [The React Team](/community/team)
+
+---
+
+
+
+There is an unauthenticated remote code execution vulnerability in React Server Components.
+
+We recommend upgrading immediately.
+
+
+
+---
+
+On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
+
+Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
+
+This vulnerability was disclosed as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) and is rated CVSS 10.0.
+
+The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
+
+* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)
+* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)
+* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)
+
+## Immediate Action Required {/*immediate-action-required*/}
+
+A fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.
+
+If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
+
+### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/}
+
+Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk).
+
+We will update this post with upgrade instructions on how to upgrade as they become available.
+
+### Hosting Provider Mitigations {/*hosting-provider-mitigations*/}
+
+We have worked with a number of hosting providers to apply temporary mitigations.
+
+You should not depend on these to secure your app, and still update immediately.
+
+### Vulnerability overview {/*vulnerability-overview*/}
+
+[React Server Functions](https://react.dev/reference/rsc/server-functions) allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client.
+
+An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.
+
+## Update Instructions {/*update-instructions*/}
+
+### Next.js {/*update-next-js*/}
+
+All users should upgrade to the latest patched version in their release line:
+
+```bash
+npm install next@15.0.5 // for 15.0.x
+npm install next@15.1.9 // for 15.1.x
+npm install next@15.2.6 // for 15.2.x
+npm install next@15.3.6 // for 15.3.x
+npm install next@15.4.8 // for 15.4.x
+npm install next@15.5.7 // for 15.5.x
+npm install next@16.0.7 // for 16.0.x
+```
+
+If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
+
+```bash
+npm install next@14
+```
+
+See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
+
+### React Router {/*update-react-router*/}
+
+If you are using React Router's unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:
+
+```bash
+npm install react@latest
+npm install react-dom@latest
+npm install react-server-dom-parcel@latest
+npm install react-server-dom-webpack@latest
+npm install @vitejs/plugin-rsc@latest
+```
+
+### Expo {/*expo*/}
+
+Upgrade to the latest `react-server-dom-webpack`:
+
+```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+```
+
+### Redwood SDK {/*update-redwood-sdk*/}
+
+Ensure you are on rwsdk>=1.0.0-alpha.0
+
+For the latest beta version:
+
+```bash
+npm install rwsdk@latest
+```
+
+Upgrade to the latest `react-server-dom-webpack`:
+
+```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+```
+
+See [Redwood docs](https://docs.rwsdk.com/migrating/) for more migration instructions.
+
+### Waku {/*update-waku*/}
+
+Upgrade to the latest `react-server-dom-webpack`:
+
+```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest
+```
+
+See [Waku announcement](https://github.com/wakujs/waku/discussions/1823) for more migration instructions.
+
+### `@vitejs/plugin-rsc` {/*vitejs-plugin-rsc*/}
+
+Upgrade to the latest RSC plugin:
+
+```bash
+npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
+```
+
+### `react-server-dom-parcel` {/*update-react-server-dom-parcel*/}
+
+Update to the latest version:
+
+ ```bash
+ npm install react@latest react-dom@latest react-server-dom-parcel@latest
+ ```
+
+### `react-server-dom-turbopack` {/*update-react-server-dom-turbopack*/}
+
+Update to the latest version:
+
+ ```bash
+ npm install react@latest react-dom@latest react-server-dom-turbopack@latest
+ ```
+
+### `react-server-dom-webpack` {/*update-react-server-dom-webpack*/}
+
+Update to the latest version:
+
+ ```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+ ```
+
+## Timeline {/*timeline*/}
+
+* **November 29th**: Lachlan Davidson reported the security vulnerability via [Meta Bug Bounty](https://bugbounty.meta.com/).
+* **November 30th**: Meta security researchers confirmed and began working with the React team on a fix.
+* **December 1st**: A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
+* **December 3rd**: The fix was published to npm and the publicly disclosed as CVE-2025-55182.
+
+## Attribution {/*attribution*/}
+
+Thank you to [Lachlan Davidson](https://github.com/lachlan2k) for discovering, reporting, and working to help fix this vulnerability.
diff --git a/src/content/blog/index.md b/src/content/blog/index.md
index 0a3e02871b..0d9325dbb6 100644
--- a/src/content/blog/index.md
+++ b/src/content/blog/index.md
@@ -11,7 +11,17 @@ title: React Blog
+<<<<<<< HEAD
+=======
+
+
+There is an unauthenticated remote code execution vulnerability in React Server Components. A fix has been published in versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately.
+
+
+
+
+>>>>>>> d8b1fe88a9b4991c9595c0228c16ee6d598fa176
上周我们举办了 React Conf 2025,在本文中,我们总结了会议的演讲和公告……
diff --git a/src/content/reference/react/addTransitionType.md b/src/content/reference/react/addTransitionType.md
index 06020ab851..2557f05649 100644
--- a/src/content/reference/react/addTransitionType.md
+++ b/src/content/reference/react/addTransitionType.md
@@ -39,7 +39,7 @@ startTransition(() => {
#### Returns {/*returns*/}
-`startTransition` does not return anything.
+`addTransitionType` does not return anything.
#### Caveats {/*caveats*/}
diff --git a/src/content/versions.md b/src/content/versions.md
index 9ecff85171..3927f42e00 100644
--- a/src/content/versions.md
+++ b/src/content/versions.md
@@ -52,9 +52,17 @@ React 文档位于 [react.dev](https://react.dev),提供最新版本 React 的
- [React Compiler Case Studies](https://www.youtube.com/watch?v=lvhPq5chokM)
- [React 19 Deep Dive: Coordinating HTML](https://www.youtube.com/watch?v=IBBN-s77YSI)
+<<<<<<< HEAD
**发布版本**
+=======
+**Releases**
+- [v19.2.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1921-dec-3-2025)
+>>>>>>> d8b1fe88a9b4991c9595c0228c16ee6d598fa176
- [v19.2.0 (October, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1920-october-1st-2025)
+- [v19.1.2 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1912-dec-3-2025)
+- [v19.1.1 (July, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1911-july-28-2025)
- [v19.1.0 (March, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1910-march-28-2025)
+- [v19.0.1 (December, 2025)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1901-dec-3-2025)
- [v19.0.0 (December, 2024)](https://github.com/facebook/react/blob/main/CHANGELOG.md#1900-december-5-2024)
### React 18 {/*react-18*/}
diff --git a/yarn.lock b/yarn.lock
index 5b7d7bf969..a07b2f2800 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1225,10 +1225,10 @@
unist-util-visit "^4.0.0"
vfile "^5.0.0"
-"@next/env@15.1.0":
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/@next/env/-/env-15.1.0.tgz#35b00a5f60ff10dc275182928c325d25c29379ae"
- integrity sha512-UcCO481cROsqJuszPPXJnb7GGuLq617ve4xuAyyNG4VSSocJNtMU5Fsx+Lp6mlN8c7W58aZLc5y6D/2xNmaK+w==
+"@next/env@15.1.9":
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/@next/env/-/env-15.1.9.tgz#3569b6dd6a9b0af998fc6e4902da6b9ed2fc36c9"
+ integrity sha512-Te1wbiJ//I40T7UePOUG8QBwh+VVMCc0OTuqesOcD3849TVOVOyX4Hdrkx7wcpLpy/LOABIcGyLX5P/SzzXhFA==
"@next/eslint-plugin-next@12.0.3":
version "12.0.3"
@@ -1237,45 +1237,45 @@
dependencies:
glob "7.1.7"
-"@next/swc-darwin-arm64@15.1.0":
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/@next/swc-darwin-arm64/-/swc-darwin-arm64-15.1.0.tgz#30cb89220e719244c9fa7391641e515a078ade46"
- integrity sha512-ZU8d7xxpX14uIaFC3nsr4L++5ZS/AkWDm1PzPO6gD9xWhFkOj2hzSbSIxoncsnlJXB1CbLOfGVN4Zk9tg83PUw==
-
-"@next/swc-darwin-x64@15.1.0":
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/@next/swc-darwin-x64/-/swc-darwin-x64-15.1.0.tgz#c24c4f5d1016dd161da32049305b0ddddfc80951"
- integrity sha512-DQ3RiUoW2XC9FcSM4ffpfndq1EsLV0fj0/UY33i7eklW5akPUCo6OX2qkcLXZ3jyPdo4sf2flwAED3AAq3Om2Q==
-
-"@next/swc-linux-arm64-gnu@15.1.0":
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-15.1.0.tgz#08ed540ecdac74426a624cc7d736dc709244b004"
- integrity sha512-M+vhTovRS2F//LMx9KtxbkWk627l5Q7AqXWWWrfIzNIaUFiz2/NkOFkxCFyNyGACi5YbA8aekzCLtbDyfF/v5Q==
-
-"@next/swc-linux-arm64-musl@15.1.0":
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-15.1.0.tgz#dfddbd40087d018266aa92515ec5b3e251efa6dd"
- integrity sha512-Qn6vOuwaTCx3pNwygpSGtdIu0TfS1KiaYLYXLH5zq1scoTXdwYfdZtwvJTpB1WrLgiQE2Ne2kt8MZok3HlFqmg==
-
-"@next/swc-linux-x64-gnu@15.1.0":
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-15.1.0.tgz#a7b5373a1b28c0acecbc826a3790139fc0d899e5"
- integrity sha512-yeNh9ofMqzOZ5yTOk+2rwncBzucc6a1lyqtg8xZv0rH5znyjxHOWsoUtSq4cUTeeBIiXXX51QOOe+VoCjdXJRw==
-
-"@next/swc-linux-x64-musl@15.1.0":
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-15.1.0.tgz#b82a29903ee2f12d8b64163ddf208ac519869550"
- integrity sha512-t9IfNkHQs/uKgPoyEtU912MG6a1j7Had37cSUyLTKx9MnUpjj+ZDKw9OyqTI9OwIIv0wmkr1pkZy+3T5pxhJPg==
-
-"@next/swc-win32-arm64-msvc@15.1.0":
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-15.1.0.tgz#98deae6cb1fccfb6a600e9faa6aa714402a9ab9a"
- integrity sha512-WEAoHyG14t5sTavZa1c6BnOIEukll9iqFRTavqRVPfYmfegOAd5MaZfXgOGG6kGo1RduyGdTHD4+YZQSdsNZXg==
-
-"@next/swc-win32-x64-msvc@15.1.0":
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-15.1.0.tgz#4b04a6a667c41fecdc63db57dd71ca7e84d0946b"
- integrity sha512-J1YdKuJv9xcixzXR24Dv+4SaDKc2jj31IVUEMdO5xJivMTXuE6MAdIi4qPjSymHuFG8O5wbfWKnhJUcHHpj5CA==
+"@next/swc-darwin-arm64@15.1.9":
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/@next/swc-darwin-arm64/-/swc-darwin-arm64-15.1.9.tgz#7b95fc3b2cd5108b514c949c3bddb3a9b42a714e"
+ integrity sha512-sQF6MfW4nk0PwMYYq8xNgqyxZJGIJV16QqNDgaZ5ze9YoVzm4/YNx17X0exZudayjL9PF0/5RGffDtzXapch0Q==
+
+"@next/swc-darwin-x64@15.1.9":
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/@next/swc-darwin-x64/-/swc-darwin-x64-15.1.9.tgz#bda6b37e0deeb64f4139cc70b37e370bd3367be8"
+ integrity sha512-fp0c1rB6jZvdSDhprOur36xzQvqelAkNRXM/An92sKjjtaJxjlqJR8jiQLQImPsClIu8amQn+ZzFwl1lsEf62w==
+
+"@next/swc-linux-arm64-gnu@15.1.9":
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-15.1.9.tgz#546717f65de5fa610cd211183bd1be63050ab1c4"
+ integrity sha512-77rYykF6UtaXvxh9YyRIKoaYPI6/YX6cy8j1DL5/1XkjbfOwFDfTEhH7YGPqG/ePl+emBcbDYC2elgEqY2e+ag==
+
+"@next/swc-linux-arm64-musl@15.1.9":
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-15.1.9.tgz#3594f47a94fd52e1aba00f59793171de9386f71a"
+ integrity sha512-uZ1HazKcyWC7RA6j+S/8aYgvxmDqwnG+gE5S9MhY7BTMj7ahXKunpKuX8/BA2M7OvINLv7LTzoobQbw928p3WA==
+
+"@next/swc-linux-x64-gnu@15.1.9":
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-15.1.9.tgz#77cc834636688e44fea4c9cee800649a4ed92b0d"
+ integrity sha512-gQIX1d3ct2RBlgbbWOrp+SHExmtmFm/HSW1Do5sSGMDyzbkYhS2sdq5LRDJWWsQu+/MqpgJHqJT6ORolKp/U1g==
+
+"@next/swc-linux-x64-musl@15.1.9":
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-15.1.9.tgz#88783a8968d0c0e4f274b68569b73c19ee2feecb"
+ integrity sha512-fJOwxAbCeq6Vo7pXZGDP6iA4+yIBGshp7ie2Evvge7S7lywyg7b/SGqcvWq/jYcmd0EbXdb7hBfdqSQwTtGTPg==
+
+"@next/swc-win32-arm64-msvc@15.1.9":
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-15.1.9.tgz#1b7024cee3eefe4bcf8f81e7cbffe6aeb15d32ea"
+ integrity sha512-crfbUkAd9PVg9nGfyjSzQbz82dPvc4pb1TeP0ZaAdGzTH6OfTU9kxidpFIogw0DYIEadI7hRSvuihy2NezkaNQ==
+
+"@next/swc-win32-x64-msvc@15.1.9":
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-15.1.9.tgz#92044825d0f9e017d6a27ab69fc8c8f5ca9dc239"
+ integrity sha512-SBB0oA4E2a0axUrUwLqXlLkSn+bRx9OWU6LheqmRrO53QEAJP7JquKh3kF0jRzmlYOWFZtQwyIWJMEJMtvvDcQ==
"@nodelib/fs.scandir@2.1.5":
version "2.1.5"
@@ -5797,12 +5797,12 @@ next-tick@^1.1.0:
resolved "https://registry.npmjs.org/next-tick/-/next-tick-1.1.0.tgz"
integrity sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ==
-next@15.1.0:
- version "15.1.0"
- resolved "https://registry.yarnpkg.com/next/-/next-15.1.0.tgz#be847cf67ac94ae23b57f3ea6d10642f3fc1ad69"
- integrity sha512-QKhzt6Y8rgLNlj30izdMbxAwjHMFANnLwDwZ+WQh5sMhyt4lEBqDK9QpvWHtIM4rINKPoJ8aiRZKg5ULSybVHw==
+next@15.1.9:
+ version "15.1.9"
+ resolved "https://registry.yarnpkg.com/next/-/next-15.1.9.tgz#eaab46d7a57c881fadf748d8ba2a8c65ec27ad8f"
+ integrity sha512-OoQpDPV2i3o5Hnn46nz2x6fzdFxFO+JsU4ZES12z65/feMjPHKKHLDVQ2NuEvTaXTRisix/G5+6hyTkwK329kA==
dependencies:
- "@next/env" "15.1.0"
+ "@next/env" "15.1.9"
"@swc/counter" "0.1.3"
"@swc/helpers" "0.5.15"
busboy "1.6.0"
@@ -5810,14 +5810,14 @@ next@15.1.0:
postcss "8.4.31"
styled-jsx "5.1.6"
optionalDependencies:
- "@next/swc-darwin-arm64" "15.1.0"
- "@next/swc-darwin-x64" "15.1.0"
- "@next/swc-linux-arm64-gnu" "15.1.0"
- "@next/swc-linux-arm64-musl" "15.1.0"
- "@next/swc-linux-x64-gnu" "15.1.0"
- "@next/swc-linux-x64-musl" "15.1.0"
- "@next/swc-win32-arm64-msvc" "15.1.0"
- "@next/swc-win32-x64-msvc" "15.1.0"
+ "@next/swc-darwin-arm64" "15.1.9"
+ "@next/swc-darwin-x64" "15.1.9"
+ "@next/swc-linux-arm64-gnu" "15.1.9"
+ "@next/swc-linux-arm64-musl" "15.1.9"
+ "@next/swc-linux-x64-gnu" "15.1.9"
+ "@next/swc-linux-x64-musl" "15.1.9"
+ "@next/swc-win32-arm64-msvc" "15.1.9"
+ "@next/swc-win32-x64-msvc" "15.1.9"
sharp "^0.33.5"
nice-try@^1.0.4: