CRITICAL SeverityCVSS 3.110.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2025-55182
Last updated Feb 26, 2026 · Published Dec 03, 2025
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Affected products
1 listed- Meta:react-server-dom-parcel; Meta:react-server-dom-turbopack; Meta:react-server-dom-webpack
Mappings
CWE
CWE-502
CAPEC
None listed.
CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms