Updating react-server-dom-webpack for CVE-2025-55182 causes `Incompatible React versions` in expo

On December 3, 2025, the React team disclosed a critical RCE vulnerability (CVE-2025-55182) and released patches affecting React Server Components. While the highest risk applies to Next.js and other RSC-heavy frameworks, Expo projects also include impacted dependencies. For Expo developers specifically, updating react-server-dom-webpack using the instructions from react.dev can trigger an Incompatible React versions error. In this article, we’ll cover what this means for Expo apps and how to apply the fix correctly. Regardless of your stack, be sure to verify whether your project is affected.

General TLDR

• Problem: A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
• You are safe if
  • If your app’s React code does not use a server
  • If your app does not use a framework, bundler, or bundler plugin that supports React Server Components (ie. not using next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, or rwsdk)
• Solution: Update react and react-server-dom-* to v19.0.1, 19.1.2 or 19.2.1 if you are running React Server Components

Expo

The problem is jest-expo had a hard dependency on react-server-dom-webpack. The expo team has already switched it to a peer dependency and tighten the peer dependencies requirement PR, specifically, their peer dependency:

"react-server-dom-webpack": "~19.0.1 || ~19.1.2 || ~19.2.1"

We are still waiting for a release to patch expo-router 6.0.16. On December 5, 2025 at 1:49:08 AM, Expo team has released v6.0.17, please update expo-router and check with npm audit!

Temporary solution prior to expo-router 6.0.17 release

A temporary solution is to override jest-expo in your package.json and make sure you don’t have it installed or in package-lock.json (ie. run npm audit).

In your package.json, add the following overrides. This also won’t affect expo checks (ie. npx expo install --check) and get Incompatible React versions error. However, once expo-router is patched, please update it!

{
	// ...
	"overrides": {
		"jest-expo": {
			"react-server-dom-webpack": "19.1.2"
		}
	}
}

Related PRs:

• [canary] Add react-server-dom-webpack recommended version to bundledNativeModules.json #41429
• [sdk-53] Add react-server-dom-webpack recommended version to bundledNativeModules.json #41423
• [sdk-54] Add react-server-dom-webpack recommended version to bundledNativeModules.json and bump #41417

Vulnerability PoCs

There are a lot of vulnerability PoCs out there and Lachlan Davidson, the Developer who found the vulnerability is advising developers to assess whether they are valid PoCs since some PoCs might lead to false positives. More Details

Sources

• Security Advisory: CVE-2025-66478
• RCE in React Server Components
• # CVE-2025-55182
• React2Shell