10
CVE-2025-55182
Trending CVE
- EPSS 27.81%
- Veröffentlicht 03.12.2025 15:40:56
- Zuletzt bearbeitet 06.12.2025 02:00:02
- Quelle cve-assign@fb.com
- CVE-Watchlists
- Unerledigt
LoginA pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
05.12.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog
Meta React Server Components Remote Code Execution Vulnerability
SchwachstelleMeta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
BeschreibungApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 27.81% | 0.963 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cve-assign@fb.com | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.