CVE-2025-55182
critical-risk
Published 2025-12-03
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Do I need to act?
!
84.9% chance of exploitation in next 30 days
EPSS score — higher than 15% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
+
Fix available
Upgrade to: 3d663f2141a05adb975de4e9dae4c49780791881, aeb69d97f8aad106f4760ff04f6d3aaa33597635, 25ba2c26f42dc33a72c7ff39710fcad9b19d9658, 2f026aae46027d9575494fb3aecbd0d75fd674f0, 49668475daba15ef8cea1d8e469dc0f9a765b635, 3eaf68b09b2b6b8c0c8e080a9713e131a78dc529, 7492122a3bbc6655b64ccba04076c73ab418cdcc
10
CVSS 10.0/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
References (6)
Vendor Advisory
https://www.facebook.com/security/advisories/cve-2025-55182
Issue Tracking
https://news.ycombinator.com/item?id=46136026
Third Party Advisory
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-ex...
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-...
88
/ 100
critical-risk
Severity
33/34 · Critical
Exploitability
27/34 · High
Exposure
28/34 · Critical