Skip to main content

React CVE-2025-55182

| EUVDEUVD-2025-200983 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2025-12-03 cve-assign@fb.com GHSA-fv66-9v8q-g76r
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Red Hat
10.0 CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
EUVD ID Assigned
Mar 15, 2026 - 16:14 euvd
EUVD-2025-200983
Analysis Generated
Mar 15, 2026 - 16:14 vuln.today
Patch released
Mar 15, 2026 - 16:14 nvd
Patch available
Added to CISA KEV
Dec 10, 2025 - 02:00 cisa
CISA KEV
PoC Detected
Dec 10, 2025 - 02:00 vuln.today
Public exploit code
CVE Published
Dec 03, 2025 - 16:15 nvd
CRITICAL 10.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 npm packages depend on react-server-dom-webpack (6 direct, 4 indirect)

Ecosystem-wide dependent count for version 19.0.0.

DescriptionCVE.org

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

AnalysisAI

React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.

Technical ContextAI

React Server Components (RSC) introduced in React 19 allow server-side rendering and Server Functions (formerly Server Actions). The vulnerability exists in the deserialization of HTTP request bodies sent to Server Function endpoints. The deserializer processes attacker-controlled data without proper validation, enabling code execution on the server. This affects three official RSC packages: react-server-dom-webpack, react-server-dom-turbopack, and react-server-dom-parcel. Given React's dominance in web development, the potential impact is enormous.

RemediationAI

Upgrade React and all react-server-dom-* packages immediately. This is emergency priority for any application using React Server Components. If unable to upgrade, consider temporarily disabling Server Functions. Audit server logs for exploitation attempts. Rotate all secrets and API keys that may have been exposed.

More in React

View all
CVE-2025-45001 HIGH POC
7.5 Jun 09

react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and

CVE-2026-22028 MEDIUM POC
6.1 Jan 08

HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scrip

CVE-2026-27612 MEDIUM POC
6.1 Feb 25

Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc

CVE-2026-23864 HIGH
7.5 Jan 26

Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react

CVE-2026-1461 MEDIUM
6.5 Feb 19

Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).

CVE-2025-68470 MEDIUM
6.5 Jan 10

React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).

CVE-2026-30847 MEDIUM
6.5 Mar 06

Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]

CVE-2026-22030 MEDIUM
6.5 Jan 10

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]

CVE-2018-6341 MEDIUM
6.1 Dec 31

React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names a

CVE-2026-29613 MEDIUM
5.9 Mar 05

Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).

CVE-2025-14969 MEDIUM
4.3 Jan 26

A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client

CVE-2026-28194 MEDIUM
4.3 Feb 25

Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

Vendor StatusVendor

Share

CVE-2025-55182 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy