CVE-2025-55182
Description
Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.
CISA KEV
- Vendor
- Meta
- Product
- React Server Components
- Due date
- 2025-12-12
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://github.com/vercel-labs/fix-react2shell-next?tab=readme-ov-file ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | react-server-dom-webpack | >=19.0.0,<19.0.1 | 19.0.1 |
| npm | react-server-dom-webpack | >=19.1.0,<19.1.2 | 19.1.2 |
| npm | react-server-dom-webpack | >=19.2.0,<19.2.1 | 19.2.1 |
| npm | react-server-dom-turbopack | >=19.0.0,<19.0.1 | 19.0.1 |
| npm | react-server-dom-turbopack | >=19.1.0,<19.1.2 | 19.1.2 |
| npm | react-server-dom-turbopack | >=19.2.0,<19.2.1 | 19.2.1 |
| npm | react-server-dom-parcel | >=19.0.0,<19.0.1 | 19.0.1 |
| npm | react-server-dom-parcel | >=19.1.0,<19.1.2 | 19.1.2 |
| npm | react-server-dom-parcel | >=19.2.0,<19.2.1 | 19.2.1 |
References
- https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
- https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- https://github.com/facebook/react/pull/35277
- https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700
- https://github.com/ejpir/CVE-2025-55182-poc
- https://github.com/facebook/react
- https://github.com/facebook/react/releases/tag/v19.0.1
- https://github.com/facebook/react/releases/tag/v19.1.2
- https://github.com/facebook/react/releases/tag/v19.2.1
- https://news.ycombinator.com/item?id=46136026
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://www.facebook.com/security/advisories/cve-2025-55182
- http://www.openwall.com/lists/oss-security/2025/12/03/4
- Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://github.com/vercel-labs/fix-react2shell-next?tab=readme-ov-file ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182
Verify integrity in audit chain (admin only). AS-IS.