CVE-2025-55182

Name of the Vulnerable Software and Affected Versions React Server Components versions 19.0.0 through 19.2.0

Description A pre-authentication remote code execution issue exists in React Server Components, specifically affecting the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages. The problem stems from unsafe deserialization of payloads within HTTP requests sent to Server Function endpoints, specifically involving flaws in the deserialization mechanism when processing the hasOwnProperty parameter in the requireModule() function. This allows a remote, unauthenticated attacker to execute arbitrary code on the server by sending a specially crafted HTTP request.

Real-world exploitation has been extensive, including:

Recommendations Update React Server Components to a version that fixes this issue. Rotate and revoke all potentially exposed secrets, including API keys, database passwords, SSH keys, and cloud tokens. Restrict access to the requireModule() function or the affected Server Function endpoints as a temporary mitigation. Implement egress filtering to block unusual outbound HTTP traffic, particularly to port 8080.