VYPR
Critical severityCISA KEVNVD Advisory· Published Dec 3, 2025· Updated Feb 26, 2026

CVE-2025-55182

CVE-2025-55182

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
react-server-dom-webpacknpm
>= 19.0.0, < 19.0.119.0.1
react-server-dom-webpacknpm
>= 19.1.0, < 19.1.219.1.2
react-server-dom-webpacknpm
>= 19.2.0, < 19.2.119.2.1
react-server-dom-turbopacknpm
>= 19.0.0, < 19.0.119.0.1
react-server-dom-turbopacknpm
>= 19.1.0, < 19.1.219.1.2
react-server-dom-turbopacknpm
>= 19.2.0, < 19.2.119.2.1
react-server-dom-parcelnpm
>= 19.0.0, < 19.0.119.0.1
react-server-dom-parcelnpm
>= 19.1.0, < 19.1.219.1.2
react-server-dom-parcelnpm
>= 19.2.0, < 19.2.119.2.1

Affected products

6

Patches

Vulnerability mechanics

References

12

News mentions

21