CVE-2025-55182

Summary

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Affected Software

VendorProductVersion RangeStatus
Metareact-server-dom-webpack19.0.0 <= 19.0.0affected
Metareact-server-dom-webpack19.1.0 <= 19.1.1affected
Metareact-server-dom-webpack19.2.0 <= 19.2.0affected
Metareact-server-dom-turbopack19.0.0 <= 19.0.0affected
Metareact-server-dom-turbopack19.1.0 <= 19.1.1affected
Metareact-server-dom-turbopack19.2.0 <= 19.2.0affected
Metareact-server-dom-parcel19.0.0 <= 19.0.0affected
Metareact-server-dom-parcel19.1.0 <= 19.1.1affected
Metareact-server-dom-parcel19.2.0 <= 19.2.0affected

Weaknesses

  • Deserialization of Untrusted Data (CWE-502)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

CVE Program Container

Additional References

References