CVE-2025-55182

CRITICAL

CVSS v3

10

CRITICAL

EPSS Score

59.6%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Technical Details

Published
12/3/2025
CERT-FR Advisory
CERTFR-2025-ALE-014

Frequently Asked Questions

What is CVE-2025-55182?

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Is CVE-2025-55182 actively exploited?

Active exploitation of CVE-2025-55182 has not been confirmed. The EPSS score is 59.6%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2025-55182?

CVE-2025-55182 has a CVSS v3 base score of 10 (CRITICAL severity).

Is CVE-2025-55182 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.