🔍 Overview
|
Summary |
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. |
|---|---|
|
Advisory Release Date |
|
|
Products |
eptos / eptos Search Engine |
|
Affected Releases |
eptos 6.* |
|
Fixed Releases |
N/A |
|
CVE ID |
CVE-2025-55182 |
|
Issue ID |
BASE-2285 |
|
Further information |
|
Summary
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
-
react-server-dom-webpack
-
react-server-dom-parcel
-
react-server-dom-turbopack
Additionally, some frameworks or bundlers that depend on the React Server Components are also vulnerable:
-
Next.js (14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7)
-
Vite RSC Plugin
-
Parcel RSC Plugin
-
React Router RSC
-
RedwoodSDK
-
Waku
Software Fixes
eptos does not implement REACT server components (RSC) and don't use any framework that implements it and is not vulnerable against CVE-2025-55182 .
What you need to do
No action required
Mitigation
N/A
See also
Support
If you have questions or concerns regarding this advisory, check back with support (at) paradine,at and add BASE-2285 to your issue description.