VDB

CISA-2025-55182

CISA-2025-55182 PUBLISHED CVSS 10 CRITICAL

Reported by Meta · Published December 3, 2025

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Risk Scores

CVSS 3.1
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersions
Metareact-server-dom-webpack19.0.0, 19.1.0, 19.2.0
Metareact-server-dom-turbopack19.0.0, 19.1.0, 19.2.0
Metareact-server-dom-parcel19.0.0, 19.1.0, 19.2.0
Metareact-server-dom-turbopack19.1.0, 19.2.0, 19.0.0
Metareact-server-dom-parcel19.1.0, 19.0.0, 19.1.0
Metareact-server-dom-webpack19.1.0, 19.0.0, 19.2.0

Timeline

  • Jun 24, 2024 PoC Published
  • Dec 3, 2025 CVE Published
  • Dec 4, 2025 PoC Published
  • Dec 5, 2025 PoC Published
  • Dec 5, 2025 PoC Published
  • Dec 6, 2025 PoC Published
  • Dec 9, 2025 PoC Published
  • Feb 26, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›