What is the CVSS score of CVE-2025-55182?

CVE-2025-55182 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 71.1%.

Which versions of React are affected by CVE-2025-55182?

A critical remote code execution vulnerability affecting React Server Components allows unauthenticated attackers to execute arbitrary code on affected systems with a 71% exploitation probability.. A patch is available.

Is there a public PoC exploit available for CVE-2025-55182?

Yes, a public proof-of-concept exploit is available for CVE-2025-55182. Prioritise patching immediately. EPSS: 71.1%.

How to fix or mitigate CVE-2025-55182?

Within 24 hours: Identify all systems running React Server Components versions 19.0.0, 19.1.0, 19.1.1, or 19.2.0; isolate or restrict network access to affected Server Function endpoints if patching cannot be completed immediately. Within 7 days: Apply vendor patches to all affected systems and verify remediation through testing. Within 30 days: Conduct forensic review of server logs for indicators of exploitation and perform security assessment of patched systems.

React CVE-2025-55182

EUVD-2025-200983 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2025-12-03 cve-assign@fb.com

GHSA-fv66-9v8q-g76r

RCE Deserialization React Red Hat Next.Js

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-200983

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

Patch released

Mar 15, 2026 - 16:14 nvd

Patch available

Added to CISA KEV

Dec 10, 2025 - 02:00 cisa

CISA KEV

PoC Detected

Dec 10, 2025 - 02:00 vuln.today

Public exploit code

CVE Published

Dec 03, 2025 - 16:15 nvd

CRITICAL 10.0

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

10 npm packages depend on react-server-dom-webpack (6 direct, 4 indirect)

Ecosystem-wide dependent count for version 19.0.0.

DescriptionNVD

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

AnalysisAI

React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.

Technical ContextAI

React Server Components (RSC) introduced in React 19 allow server-side rendering and Server Functions (formerly Server Actions). The vulnerability exists in the deserialization of HTTP request bodies sent to Server Function endpoints. The deserializer processes attacker-controlled data without proper validation, enabling code execution on the server. This affects three official RSC packages: react-server-dom-webpack, react-server-dom-turbopack, and react-server-dom-parcel. Given React's dominance in web development, the potential impact is enormous.

RemediationAI

Upgrade React and all react-server-dom-* packages immediately. This is emergency priority for any application using React Server Components. If unable to upgrade, consider temporarily disabling Server Functions. Audit server logs for exploitation attempts. Rotate all secrets and API keys that may have been exposed.