How to fix CVE-2025-55182?

Within 24 hours: Identify all systems running React Server Components versions 19.0.0, 19.1.0, 19.1.1, or 19.2.0; isolate or restrict network access to affected Server Function endpoints if patching cannot be completed immediately. Within 7 days: Apply vendor patches to all affected systems and verify remediation through testing. Within 30 days: Conduct forensic review of server logs for indicators of exploitation and perform security assessment of patched systems.

Is Deserialization affected by CVE-2025-55182?

A critical remote code execution vulnerability affecting React Server Components allows unauthenticated attackers to execute arbitrary code on affected systems with a 71% exploitation probability.

CVE-2025-55182

EUVD-2025-200983 CRITICAL

2025-12-03 [email protected]

GHSA-fv66-9v8q-g76r

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2025-200983

Patch Released

Mar 15, 2026 - 16:14 nvd

Patch available

Added to CISA KEV

Dec 10, 2025 - 02:00 cisa

CISA KEV

PoC Detected

Dec 10, 2025 - 02:00 vuln.today

Public exploit code

CVE Published

Dec 03, 2025 - 16:15 nvd

CRITICAL 10.0

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Analysis

React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.

Technical Context

React Server Components (RSC) introduced in React 19 allow server-side rendering and Server Functions (formerly Server Actions). The vulnerability exists in the deserialization of HTTP request bodies sent to Server Function endpoints. The deserializer processes attacker-controlled data without proper validation, enabling code execution on the server. This affects three official RSC packages: react-server-dom-webpack, react-server-dom-turbopack, and react-server-dom-parcel. Given React's dominance in web development, the potential impact is enormous.

Affected Products

['React 19.0.0', 'React 19.1.0', 'React 19.1.1', 'React 19.2.0', 'react-server-dom-webpack', 'react-server-dom-turbopack', 'react-server-dom-parcel']

Remediation

Upgrade React and all react-server-dom-* packages immediately. This is emergency priority for any application using React Server Components. If unable to upgrade, consider temporarily disabling Server Functions. Audit server logs for exploitation attempts. Rotate all secrets and API keys that may have been exposed.

Priority Score

201

Low Medium High Critical

KEV: +50

EPSS: +71.1

CVSS: +50

POC: +20

Vendor Status

CVE-2025-55182 vulnerability details – vuln.today

Back

CVE-2025-55182

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-55182

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code