Skip to main content
CVE 2025

React Server Components Remote Code Execution (CVE-2025-55182)

VIP10 PointsCVE-2025-55182
Start this lab on Hackviser

Overview

React Server Components Remote Code Execution, tracked as CVE-2025-55182, affects React Server Components implementations that use vulnerable React server DOM packages. The issue is especially high impact because React Server Components are used by modern full-stack React frameworks to process server-side function requests.

Vulnerability Overview

CVE-2025-55182 is a pre-authentication remote code execution vulnerability in React Server Components. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

The affected packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The related Next.js CVE identifier CVE-2025-66478 was later rejected as a duplicate of CVE-2025-55182, so CVE-2025-55182 is the canonical identifier.

Impact

The vulnerability is rated Critical with a CVSS 3.1 score of 10.0. Successful exploitation can allow unauthenticated remote code execution with high confidentiality, integrity, and availability impact.

CVE-2025-55182 is listed in the CISA Known Exploited Vulnerabilities catalog, which indicates active exploitation and makes rapid remediation important for affected server-rendered React applications.

Vulnerability Scope

The affected React Server Components versions are 19.0.0, 19.1.0, 19.1.1, and 19.2.0 in the vulnerable server DOM packages. NVD also identifies affected Next.js releases that include the vulnerable React Server Components dependency chain.

The highest-risk deployments are applications exposing Server Function endpoints through affected React Server Components versions or frameworks that bundle the vulnerable packages.

Lab Focus

This Hackviser lab focuses on understanding how unsafe deserialization in server-side component protocols can become pre-authentication remote code execution. You will practice identifying affected React Server Components versions, recognizing the Server Function attack surface, and connecting deserialization risk to full-stack React application hardening.

Resources