A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Affected Products

Also Affects

Downstream vendors/products affected by this vulnerability

References

• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components(Patch, Vendor Advisory)
• https://www.facebook.com/security/advisories/cve-2025-55182(Vendor Advisory)
• http://www.openwall.com/lists/oss-security/2025/12/03/4(Mailing List, Patch, Third Party Advisory)
• https://news.ycombinator.com/item?id=46136026(Issue Tracking)
• https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/(Third Party Advisory)
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182(US Government Resource)

Related News (1 articles)