CVE-2025-55182 PUBLISHED

Assigner: Meta
Reserved: 08.08.2025 Published: 03.12.2025 Updated: 03.12.2025

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Meta
Product	react-server-dom-webpack
Versions	Default: unaffected affected from 19.0.0 to 19.2.0 (incl.)

Vendor	Meta
Product	react-server-dom-turbopack
Versions	Default: unaffected affected from 19.0.0 to 19.2.0 (incl.)

Vendor	Meta
Product	react-server-dom-parcel
Versions	Default: unaffected affected from 19.0.0 to 19.2.0 (incl.)

References

Problem Types

Deserialization of Untrusted Data (CWE-502)