CVE

CVE-2025-55182

CVE

CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182, https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components, https://www.facebook.com/security/advisories/cve-2025-55182, http://www.openwall.com/lists/oss-security/2025/12/03/4, https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/, https://news.ycombinator.com/item?id=46136026

Severity

10

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

0.53464%

EPSS Percentile

0.97879%

Introduced Version

51bfe3c1863b191f4b039bc230e8ed5c57b0baf3

Fix Available

3d663f2141a05adb975de4e9dae4c49780791881

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2025-55182

CVE-2025-55182

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

10

Basic Information

Fix Critical Vulnerabilities Instantly