Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <aTCH8VcNK_Lz9Rli@netmeister.org>
Date: Wed, 3 Dec 2025 13:56:49 -0500
From: Jan Schaumann <jschauma@...meister.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-55182: RCE in React Server Components

(I'm not affiliated with React nor Meta, just posting
this here as I don't think I've seen the team send
notes to this list.)

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://www.cve.org/CVERecord?id=CVE-2025-55182

A pre-authentication remote code execution
vulnerability exists in React Server Components
versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of

- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack

The vulnerable code unsafely deserializes payloads
from HTTP requests to Server Function endpoints.

The commit including the fix is here:
https://github.com/facebook/react/pull/35277

"Further details of the vulnerability will be provided
after the rollout of the fix is complete."

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.