vulnerability

CVE-2025-55182: React Server Components Remote Code Execution

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Dec 3, 2025	Dec 4, 2025	Dec 9, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Dec 3, 2025

Added

Dec 4, 2025

Modified

Dec 9, 2025

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted request to execute arbitrary code on the server.

Solution

meta-react-cve-2025-55182

References

CVE-2025-55182
https://attackerkb.com/topics/CVE-2025-55182
URL-https://www.facebook.com/security/advisories/cve-2025-55182
URL-https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today