CVE-2025-55182

State: PUBLISHED · Published: 2025-12-03 · Updated: 2026-02-26 · Assigner: Meta

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

CWE

(none)

Affected

Meta / react-server-dom-webpack — v=19.0.0 ≤19.0.0 [affected]; v=19.1.0 ≤19.1.1 [affected]; v=19.2.0 ≤19.2.0 [affected]
Meta / react-server-dom-turbopack — v=19.0.0 ≤19.0.0 [affected]; v=19.1.0 ≤19.1.1 [affected]; v=19.2.0 ≤19.2.0 [affected]
Meta / react-server-dom-parcel — v=19.0.0 ≤19.0.0 [affected]; v=19.1.0 ≤19.1.1 [affected]; v=19.2.0 ≤19.2.0 [affected]

CVSS

3.1 score=10 severity=CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

https://www.facebook.com/security/advisories/cve-2025-55182 x_refsource_CONFIRM
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components x_refsource_CONFIRM

Source

cvelistV5-main/cves/2025/55xxx/CVE-2025-55182.json