OSG-SEC-2025-12-04 CRITICAL React Server Components Vulnerability (CVE-2025-55182)

Dear OSG Security Contacts,

A pre-authentication remote code execution vulnerability exists in React Server Components. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

IMPACTED VERSIONS:

19.0.0, 19.1.0, 19.1.1, 19.2.0

Affected Packages

react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack

WHAT IS THE VULNERABILITY:

The vulnerability stems from unsafe deserialization logic used by React Server Components. An attacker can send a maliciously crafted serialized payload in an HTTP request to a Server Function endpoint. When React deserializes this payload, it may create unintended objects or trigger unexpected execution paths, enabling pre-authentication remote code execution on the server. This vulnerability does not affect client-side React applications, and only impacts applications that use React Server Components on the server.

Impact

An unauthenticated remote attacker could: Execute arbitrary code on the server, Access or manipulate data processed by server-side React functions, Compromise the hosting environment, Potentially pivot deeper into infrastructure.

Because this vulnerability requires no authentication and may be reachable through public endpoints, it is considered Critical.

WHAT YOU SHOULD DO:

Patched versions have been released. All users of the affected packages must upgrade immediately. 19.0.1, 19.1.2, 19.2.1. Additionally, if you are a user of a React based component such as Next.js, React Router, Expo, Redwood SDK, or Waku, please check the react.dev link below for upgrade instructions.

REFERENCES

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-55182

[2] https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team