cbcvebase.
CVE-2025-55182
published 2025-12-03

CVE-2025-55182: A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-12-12
Exploited in the wild
EPSS
99.56%
99.9th percentile
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Affected

39 ranges· showing 25
VendorProductVersion rangeFixed in
facebookreact
facebookreact
facebookreact
facebookreact
metareact-server-dom-parcel>= 19.0.0 < 19.0.119.0.1
metareact-server-dom-parcel19.0.0 – 19.0.0
metareact-server-dom-parcel>= 19.1.0 < 19.1.219.1.2
metareact-server-dom-parcel19.1.0 – 19.1.1
metareact-server-dom-parcel>= 19.2.0 < 19.2.119.2.1
metareact-server-dom-parcel19.2.0 – 19.2.0
metareact-server-dom-turbopack>= 19.0.0 < 19.0.119.0.1
metareact-server-dom-turbopack19.0.0 – 19.0.0
metareact-server-dom-turbopack>= 19.1.0 < 19.1.219.1.2
metareact-server-dom-turbopack19.1.0 – 19.1.1
metareact-server-dom-turbopack>= 19.2.0 < 19.2.119.2.1
metareact-server-dom-turbopack19.2.0 – 19.2.0
metareact-server-dom-webpack>= 19.0.0 < 19.0.119.0.1
metareact-server-dom-webpack19.0.0 – 19.0.0
metareact-server-dom-webpack>= 19.1.0 < 19.1.219.1.2
metareact-server-dom-webpack19.1.0 – 19.1.1
metareact-server-dom-webpack>= 19.2.0 < 19.2.119.2.1
metareact-server-dom-webpack19.2.0 – 19.2.0
nextnext>= 14.3.0-canary.77 < 15.0.515.0.5
nextnext>= 15.1.0-canary.0 < 15.1.915.1.9
nextnext>= 15.2.0-canary.0 < 15.2.615.2.6

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-55182 is a pre-authentication remote code execution vulnerability in React Server Components; applications supporting React Server Components are vulnerable by default even without explicit use of Server Functions
  • ·CVE-2025-55182 affects React Server Components across multiple frameworks beyond React.js alone; the full list of affected frameworks is described as exhaustive but not fully enumerated in the available sources
  • ·CVSS score is maximum severity (10.0), indicating no authentication or user interaction is required for exploitation

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa10.0CRITICAL
osv10.0CRITICAL
vulncheck10.0CRITICAL
cisa10.0CRITICAL
vendor_cisco10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.