CVE-2025-55182: Meta React Server Components Remote Code Execution Vulnerability

Published Dec 3, 2025
·
Updated

### Impact There is an unauthenticated remote code execution vulnerability in React Server Components. We recommend upgrading immediately. The vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of: * [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack) * [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel) * [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme) ### Patches A fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately. If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability. ### References See the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.

Affected Software

93 affected componentsFixes available
React Server Components>=19.0.0<=19.2.0
Meta React Server Components
Facebook React=19.0.0
Facebook React=19.1.0
Facebook React=19.1.1
Facebook React=19.2.0
Vercel Next.js Node.js>=15.0.0<15.0.5
Vercel Next.js Node.js>=15.1.0<15.1.9
Vercel Next.js Node.js>=15.2.0<15.2.6
Vercel Next.js Node.js>=15.3.0<15.3.6
Vercel Next.js Node.js>=15.4.0<15.4.8
Vercel Next.js Node.js>=15.5.0<15.5.7
Vercel Next.js Node.js>=16.0.0<16.0.7
Vercel Next.js Node.js=14.3.0-canary77
Vercel Next.js Node.js=14.3.0-canary78
Vercel Next.js Node.js=14.3.0-canary79
Vercel Next.js Node.js=14.3.0-canary80
Vercel Next.js Node.js=14.3.0-canary81
Vercel Next.js Node.js=14.3.0-canary82
Vercel Next.js Node.js=14.3.0-canary83
Vercel Next.js Node.js=14.3.0-canary84
Vercel Next.js Node.js=14.3.0-canary85
Vercel Next.js Node.js=14.3.0-canary86
Vercel Next.js Node.js=14.3.0-canary87
Vercel Next.js Node.js=15.6.0
Vercel Next.js Node.js=15.6.0-canary0
Vercel Next.js Node.js=15.6.0-canary1
Vercel Next.js Node.js=15.6.0-canary10
Vercel Next.js Node.js=15.6.0-canary11
Vercel Next.js Node.js=15.6.0-canary12
Vercel Next.js Node.js=15.6.0-canary13
Vercel Next.js Node.js=15.6.0-canary14
Vercel Next.js Node.js=15.6.0-canary15
Vercel Next.js Node.js=15.6.0-canary16
Vercel Next.js Node.js=15.6.0-canary17
Vercel Next.js Node.js=15.6.0-canary18
Vercel Next.js Node.js=15.6.0-canary19
Vercel Next.js Node.js=15.6.0-canary2
Vercel Next.js Node.js=15.6.0-canary20
Vercel Next.js Node.js=15.6.0-canary21
Vercel Next.js Node.js=15.6.0-canary22
Vercel Next.js Node.js=15.6.0-canary23
Vercel Next.js Node.js=15.6.0-canary24
Vercel Next.js Node.js=15.6.0-canary25
Vercel Next.js Node.js=15.6.0-canary26
Vercel Next.js Node.js=15.6.0-canary27
Vercel Next.js Node.js=15.6.0-canary28
Vercel Next.js Node.js=15.6.0-canary29
Vercel Next.js Node.js=15.6.0-canary3
Vercel Next.js Node.js=15.6.0-canary30
Vercel Next.js Node.js=15.6.0-canary31
Vercel Next.js Node.js=15.6.0-canary32
Vercel Next.js Node.js=15.6.0-canary33
Vercel Next.js Node.js=15.6.0-canary34
Vercel Next.js Node.js=15.6.0-canary35
Vercel Next.js Node.js=15.6.0-canary36
Vercel Next.js Node.js=15.6.0-canary37
Vercel Next.js Node.js=15.6.0-canary38
Vercel Next.js Node.js=15.6.0-canary39
Vercel Next.js Node.js=15.6.0-canary4
Vercel Next.js Node.js=15.6.0-canary40
Vercel Next.js Node.js=15.6.0-canary41
Vercel Next.js Node.js=15.6.0-canary42
Vercel Next.js Node.js=15.6.0-canary43
Vercel Next.js Node.js=15.6.0-canary44
Vercel Next.js Node.js=15.6.0-canary45
Vercel Next.js Node.js=15.6.0-canary46
Vercel Next.js Node.js=15.6.0-canary47
Vercel Next.js Node.js=15.6.0-canary48
Vercel Next.js Node.js=15.6.0-canary49
Vercel Next.js Node.js=15.6.0-canary5
Vercel Next.js Node.js=15.6.0-canary50
Vercel Next.js Node.js=15.6.0-canary51
Vercel Next.js Node.js=15.6.0-canary52
Vercel Next.js Node.js=15.6.0-canary53
Vercel Next.js Node.js=15.6.0-canary54
Vercel Next.js Node.js=15.6.0-canary55
Vercel Next.js Node.js=15.6.0-canary56
Vercel Next.js Node.js=15.6.0-canary57
Vercel Next.js Node.js=15.6.0-canary6
Vercel Next.js Node.js=15.6.0-canary7
Vercel Next.js Node.js=15.6.0-canary8
Vercel Next.js Node.js=15.6.0-canary9
Vercel Next.js Node.js=16.0.0
npm/react-server-dom-webpack=19.0.0
19.0.1
npm/react-server-dom-parcel=19.0.0
19.0.1
npm/react-server-dom-turbopack=19.0.0
19.0.1
npm/react-server-dom-parcel=19.2.0
19.2.1
npm/react-server-dom-parcel>=19.1.0<19.1.2
19.1.2
npm/react-server-dom-turbopack=19.2.0
19.2.1
npm/react-server-dom-turbopack>=19.1.0<19.1.2
19.1.2
npm/react-server-dom-webpack=19.2.0
19.2.1
npm/react-server-dom-webpack>=19.1.0<19.1.2
19.1.2

Remediation

Information

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Patch Available

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Patch Available

http://www.openwall.com/lists/oss-security/2025/12/03/4

Event History

Dec 3, 2025
CVE Published
via MITRE·03:40 PM
Data Sourced
via MITRE·03:40 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Advisory Published
via GitHub·07:07 PM
Data Sourced
via GitHub·07:07 PM
DescriptionSeverityWeaknessAffected Software
News Published
via The Register·09:55 PM
News Published
via The Register·09:58 PM
Dec 4, 2025
News Published
via BleepingComputer·03:11 PM
News Published
via BleepingComputer·03:14 PM
Dec 5, 2025
Known Exploited
via CISA·12:00 AM
Known Ransomware
via CISA·12:00 AM
Data Sourced
via CISA·12:00 AM
RemedyDescriptionAffected Software
News Published
via BleepingComputer·11:26 AM
News Published
via BleepingComputer·01:53 PM
News Published
via The Register·02:10 PM
News Published
via The Register·09:46 PM
Dec 6, 2025
News Published
via BleepingComputer·07:07 PM
Dec 9, 2025
News Published
via BleepingComputer·03:43 PM
Dec 12, 2025
News Published
via The Register·11:31 AM
News Published
via The Register·06:23 PM
Dec 15, 2025
News Published
via BleepingComputer·12:46 PM
News Published
via The Register·05:53 PM
Dec 17, 2025
News Published
via BleepingComputer·04:09 PM
Dec 18, 2025
News Published
via The Register·11:42 AM
Dec 31, 2025
News Published
via BleepingComputer·02:58 PM
Mar 9, 2026
News Published
via BleepingComputer·09:45 PM
Mar 13, 2026
News Published
via ZDNet·05:40 PM
News Published
via ZDNet·06:33 PM
Apr 5, 2026
News Published
via BleepingComputer·02:17 PM
Apr 9, 2026
Exploit Published
via ExploitDB·12:00 AM
Apr 30, 2026
News Published
via The Register·11:00 AM
May 18, 2026
News Published
via ZDNet·08:13 PM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-55182?

CVE-2025-55182 is classified as a critical vulnerability due to its potential for pre-authentication remote code execution.

2

How do I fix CVE-2025-55182?

To mitigate CVE-2025-55182, upgrade your React Server Components to version 19.2.1 or later.

3

What components are affected by CVE-2025-55182?

CVE-2025-55182 affects React Server Components versions 19.0.0 to 19.2.0, including packages like react-server-dom-parcel and react-server-dom-webpack.

4

What types of attacks can exploit CVE-2025-55182?

CVE-2025-55182 can be exploited to execute remote code on vulnerable systems prior to user authentication.

5

How can I confirm if I am using a vulnerable version related to CVE-2025-55182?

Check your project's package.json file to see if you are using React Server Components versions 19.0.0 through 19.2.0.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203