All CVEs
Vulnerability intelligence

CVE-2025-55182

Meta React Server Components Remote Code Execution Vulnerability

Meta React Server Components

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

CVSS Score
10
Critical
EPSS — Exploit Probability
100%
Riskier than 100% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
Patch available
Federal deadline 2025-12-12
CISA required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2025-12-12.

NVD entry Vendor patch PoC / advisory CISA KEV

6 articles across 4 outlets · first covered Apr 2, 2026 · latest May 7, 2026

Coverage timeline