RCFC 19.019.2 Remote Code Exec via Unsafe Deserialization
CVE-2025-55182 Published on December 3, 2025
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Known Exploited Vulnerability
This Meta React Server Components Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
The following remediation steps are recommended / required by December 26, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Products Associated with CVE-2025-55182
stack.watch emails you whenever new vulnerabilities are published in Amazon Aws or Oracle. Just hit a watch button to start following.
Affected Versions
Meta react-server-dom-webpack:- Version 19.0.0, <= 19.0.0 is affected.
- Version 19.1.0, <= 19.1.1 is affected.
- Version 19.2.0, <= 19.2.0 is affected.
- Version 19.0.0, <= 19.0.0 is affected.
- Version 19.1.0, <= 19.1.1 is affected.
- Version 19.2.0, <= 19.2.0 is affected.
- Version 19.0.0, <= 19.0.0 is affected.
- Version 19.1.0, <= 19.1.1 is affected.
- Version 19.2.0, <= 19.2.0 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2025-55182
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| npm | react-server-dom-turbopack | >= 19.1.0, < 19.1.2 | 19.1.2 |
| npm | likec4 | <= 1.46.1 | |
| npm | react-server-dom-webpack | = 19.0 | 19.0.1 |
| npm | react-server-dom-webpack | >= 19.1.0, < 19.1.2 | 19.1.2 |
| npm | react-server-dom-webpack | = 19.2.0 | 19.2.1 |
| npm | next | >= 16.0.0-canary.0, < 16.0.7 | 16.0.7 |
| npm | next | >= 15.5.1-canary.0, < 15.5.7 | 15.5.7 |
| npm | next | >= 15.4.0-canary.0, < 15.4.8 | 15.4.8 |
| npm | next | >= 15.3.0-canary.0, < 15.3.6 | 15.3.6 |
| npm | next | >= 15.2.0-canary.0, < 15.2.6 | 15.2.6 |
| npm | next | >= 15.1.1-canary.0, < 15.1.9 | 15.1.9 |
| npm | next | >= 14.3.0-canary.77, < 15.0.5 | 15.0.5 |
| npm | react-server-dom-parcel | = 19.2.0 | 19.2.1 |
| npm | react-server-dom-parcel | >= 19.1.0, < 19.1.2 | 19.1.2 |
| npm | react-server-dom-parcel | = 19.0 | 19.0.1 |
| npm | react-server-dom-turbopack | = 19.2.0 | 19.2.1 |
| npm | react-server-dom-turbopack | = 19.0 | 19.0.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.