Critical severityCISA KEVNVD Advisory· Published Dec 3, 2025· Updated Feb 26, 2026
CVE-2025-55182
CVE-2025-55182
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-server-dom-webpacknpm | >= 19.0.0, < 19.0.1 | 19.0.1 |
react-server-dom-webpacknpm | >= 19.1.0, < 19.1.2 | 19.1.2 |
react-server-dom-webpacknpm | >= 19.2.0, < 19.2.1 | 19.2.1 |
react-server-dom-turbopacknpm | >= 19.0.0, < 19.0.1 | 19.0.1 |
react-server-dom-turbopacknpm | >= 19.1.0, < 19.1.2 | 19.1.2 |
react-server-dom-turbopacknpm | >= 19.2.0, < 19.2.1 | 19.2.1 |
react-server-dom-parcelnpm | >= 19.0.0, < 19.0.1 | 19.0.1 |
react-server-dom-parcelnpm | >= 19.1.0, < 19.1.2 | 19.1.2 |
react-server-dom-parcelnpm | >= 19.2.0, < 19.2.1 | 19.2.1 |
Affected products
6- ghsa-coords3 versions
>= 19.0.0, < 19.0.1+ 2 more
- (no CPE)range: >= 19.0.0, < 19.0.1
- (no CPE)range: >= 19.0.0, < 19.0.1
- (no CPE)range: >= 19.0.0, < 19.0.1
- Meta/react-server-dom-parcelv5Range: 19.0.0
- Meta/react-server-dom-turbopackv5Range: 19.0.0
- Meta/react-server-dom-webpackv5Range: 19.0.0
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-fv66-9v8q-g76rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-55182ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/12/03/4ghsaWEB
- github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700ghsaWEB
- github.com/facebook/react/pull/35277ghsaWEB
- github.com/facebook/react/releases/tag/v19.0.1ghsaWEB
- github.com/facebook/react/releases/tag/v19.1.2ghsaWEB
- github.com/facebook/react/releases/tag/v19.2.1ghsaWEB
- github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76rghsaWEB
- news.ycombinator.com/itemghsaWEB
- react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsghsax_refsource_CONFIRMWEB
- www.facebook.com/security/advisories/cve-2025-55182ghsax_refsource_CONFIRMWEB
News mentions
21- New SharkLoader Malware Deploys Cobalt Strike in StrikeShark CyberattacksThe Hacker News · Jun 26, 2026
- StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoaderSecurelist · Jun 24, 2026
- AWS Warns Outbound Traffic Blind Spots Can Enable Cloud Data ExfiltrationCyber Security News · Jun 23, 2026
- What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistantSecurelist · May 29, 2026
- AI Threat Landscape Digest March-April 2026Check Point Research · May 26, 2026
- Pentest Agent Suite – Bug Bounty Framework for Claude Code and 6 AI Coding ToolsCyber Security News · May 25, 2026
- AI shrinks vulnerability exploitation window to hoursHelp Net Security · May 18, 2026
- Flash Alert: EtherRat and TukTuk C2 End in The Gentleman RansomwareTheDFIRReport · May 11, 2026
- ‘PCPJack’ Worm Removes TeamPCP Infections, Steals CredentialsSecurityWeek · May 8, 2026
- New PCPJack worm steals credentials, cleans TeamPCP infectionsBleepingComputer · May 7, 2026
- PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud SystemsThe Hacker News · May 7, 2026
- China-Linked Hackers Target Asian Governments, NATO State, Journalists, and ActivistsThe Hacker News · May 1, 2026
- What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, AsiaThe Register Security · Apr 30, 2026
- Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in AsiaTrend Micro Research · Apr 30, 2026
- 27th April – Threat Intelligence ReportCheck Point Research · Apr 27, 2026
- Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential HarvestingTheDFIRReport · Apr 22, 2026
- Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials, Google Cloud FindsInfosecurity Magazine · Mar 10, 2026
- Introducing ÆSIR: Finding Zero-Day Vulnerabilities at the Speed of AITrend Micro Research · Jan 15, 2026
- Risky Business #818 -- React2Shell is a fun oneRisky Business · Dec 10, 2025
- CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild ExploitationTrend Micro Research · Dec 10, 2025
- Critical React Server Components Vulnerability CVE-2025-55182: What Security Teams Need to KnowTrend Micro Research · Dec 5, 2025