Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6Blast Radius
ecosystem impact- 10 npm packages depend on react-server-dom-webpack (6 direct, 4 indirect)
Ecosystem-wide dependent count for version 19.0.0.
DescriptionCVE.org
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
AnalysisAI
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request.
Technical ContextAI
React Server Components (RSC) introduced in React 19 allow server-side rendering and Server Functions (formerly Server Actions). The vulnerability exists in the deserialization of HTTP request bodies sent to Server Function endpoints. The deserializer processes attacker-controlled data without proper validation, enabling code execution on the server. This affects three official RSC packages: react-server-dom-webpack, react-server-dom-turbopack, and react-server-dom-parcel. Given React's dominance in web development, the potential impact is enormous.
RemediationAI
Upgrade React and all react-server-dom-* packages immediately. This is emergency priority for any application using React Server Components. If unable to upgrade, consider temporarily disabling Server Functions. Audit server logs for exploitation attempts. Rotate all secrets and API keys that may have been exposed.
react-native-keys version 0.7.11 contains a sensitive information disclosure vulnerability where encryption ciphers and
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scrip
Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc
Uncontrolled resource consumption in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
React-Router versions up to 6.30.1 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. [CVSS 6.5 MEDIUM]
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names a
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 5.9).
A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-200983
GHSA-fv66-9v8q-g76r