**U.S. CISA Adds Meta React Server Components Flaw to Its Known Exploited Vulnerabilities Catalog**
In a move to bolster cybersecurity defenses, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Meta's React Server Components to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability, tracked as CVE-2025-55182 with a CVSS score of 10.0, affects versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of React Server Components, including the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
The flaw stems from code that unsafely deserializes data from HTTP requests to Server Function endpoints without proper safety checks, leaving users vulnerable to pre-authentication remote code execution attacks.
"A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack," reads the advisory.
"The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
The security vulnerability was first reported by researcher Lachlan Davidson on November 29th, who explained that unsafe payload decoding in Server Function endpoints allows unauthenticated code execution. Moreover, apps using React Server Components may be exposed even without Server Function endpoints.
Fortunately, versions 19.0.1, 19.1.2, and 19.2.1 have addressed the flaw. However, Amazon detected China-linked groups exploiting CVE-2025-55182 (React2Shell) within hours of its December 3 disclosure.
AWS services are not impacted, but customers running affected versions should take immediate action to prevent potential attacks. As per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure as well. CISA has ordered federal agencies to fix the vulnerabilities by December 26, 2025.
In light of this development, it is essential for organizations to prioritize patching and updating their systems to prevent potential attacks. The inclusion of CVE-2025-55182 in the KEV catalog serves as a stark reminder of the importance of staying vigilant and proactive in addressing cybersecurity threats.