All self-hosters should upgrade to v5.9.9 or above of Cal.com as soon as possible using the tag, a cherry-pick of the patch or the Docker image.
Description
A critical vulnerability has been identified in the React Server Components (RSC) protocol. The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments.
Workarounds
Manually patching your self-hosted instance of Cal.com to use an approved version of Next.js/React as suggested by Vercel here.
References
CVE-2025-55182
CVE-2025-66478
All self-hosters should upgrade to v5.9.9 or above of Cal.com as soon as possible using the tag, a cherry-pick of the patch or the Docker image.
Description
A critical vulnerability has been identified in the React Server Components (RSC) protocol. The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments.
Workarounds
Manually patching your self-hosted instance of Cal.com to use an approved version of Next.js/React as suggested by Vercel here.
References
CVE-2025-55182
CVE-2025-66478