Vulnerability intelligence
CVE-2025-55182
Meta React Server Components Remote Code Execution Vulnerability
Meta React Server Components
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
CVSS Score
10
Critical
EPSS — Exploit Probability
100%
Riskier than 100% of all CVEs
Exploitation
Confirmed in the wild
Used in ransomware campaigns
Remediation
Patch available
Federal deadline 2025-12-12
CISA required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2025-12-12.
6 articles across 4 outlets · first covered Apr 2, 2026 · latest May 7, 2026
Coverage timeline
-
PCPJack worm spreads across cloud, stealing credentials via CVEsthehackernews.com · May 7, 2026
-
China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activiststhehackernews.com · May 1, 2026
-
Kubernetes token theft jumps 282% amid rising IT sector attacksunit42.paloaltonetworks.com · Apr 6, 2026
-
Automated Credential Harvesting Campaign Exploits React2Shell Flawwww.darkreading.com · Apr 6, 2026
-
Attackers Exploit Next.js Bug, Loot Credentials From 766 Hostswww.securityweek.com · Apr 3, 2026
-
Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentialsthehackernews.com · Apr 2, 2026