Source: Ministry of education information & communication security contingency platform
"" "" ""
| Publication Number | TACERT-ANA-2025121601125858 | Publication Time | 2025/12/16 13:18 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/12/16 13:18 |
| Impact Level | Low | ||
| [Subject] 【Vulnerability Alert】A Critical Security Vulnerability Found in Meta React Server Components (CVE-2025-55182) |
|||
| [Content] Forwarded from TWCERTCC-200-202512-00000006 React is an open-source JavaScript library developed by Meta for building user interfaces. Recently, Meta released a critical security advisory (CVE-2025-55182, CVSS: 10.0), indicating that React Server Components contain a remote code execution vulnerability. Due to a security weakness in how React parses data sent to React Server Function endpoints, attackers may trigger arbitrary code execution through specially crafted payloads without requiring authentication. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
|
[Affected Platform] react-server-dom-parcel versions 19.0, 19.1.0, 19.1.1, and 19.2.0 react-server-dom-turbopack versions 19.0, 19.1.0, 19.1.1, and 19.2.0 The affected React frameworks and bundling tools include: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk. |
|||
|
[Recommended Actions] https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components |
|||
| [Reference] |
|||