oss-sec mailing list archives

CVE-2025-55182: RCE in React Server Components

From: Jan Schaumann <jschauma () netmeister org>
Date: Wed, 3 Dec 2025 13:56:49 -0500

(I'm not affiliated with React nor Meta, just posting
this here as I don't think I've seen the team send
notes to this list.)

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://www.cve.org/CVERecord?id=CVE-2025-55182

A pre-authentication remote code execution
vulnerability exists in React Server Components
versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of

- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack

The vulnerable code unsafely deserializes payloads
from HTTP requests to Server Function endpoints.

The commit including the fix is here:
https://github.com/facebook/react/pull/35277

"Further details of the vulnerability will be provided
after the rollout of the fix is complete."

Current thread:

CVE-2025-55182: RCE in React Server Components Jan Schaumann (Dec 03)
- additional React vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779) Jan Schaumann (Dec 14)