Ethical Hacking News
U.S. CISA Adds React Server Components Flaw to Known Exploited Vulnerabilities Catalog: A Cautionary Tale of Software Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Meta React Server Components flaw, tracked as CVE-2025-55182 (CVSS Score of 10.0), to its Known Exploited Vulnerabilities catalog. This addition serves as a stark reminder of the importance of regularly updating software and being vigilant about security vulnerabilities in widely used technologies.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Meta React Server Components flaw to its Known Exploited Vulnerabilities (KEV) catalog.The vulnerability, CVE-2025-55182, is a pre-authentication remote code execution vulnerability that can execute arbitrary code on a server without authentication.The flaw was reported by researcher Lachlan Davidson and has been addressed in versions 19.0.1, 19.1.2, and 19.2.1.CISA orders federal agencies to fix the vulnerabilities by December 26, 2025, emphasizing the importance of addressing identified vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken an important step in ensuring the cybersecurity posture of federal agencies by adding a Meta React Server Components flaw, tracked as CVE-2025-55182 (CVSS Score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog. This addition serves as a stark reminder of the importance of regularly updating software and being vigilant about security vulnerabilities in widely used technologies.
The vulnerability at hand is a pre-authentication remote code execution vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw comes from the code deserializing data from HTTP requests to Server Function endpoints without proper safety checks. This vulnerability allows an attacker to execute arbitrary code on a server without needing authentication.
Lachlan Davidson reported this security vulnerability in React on November 29th. He explained that unsafe payload decoding in Server Function endpoints allows unauthenticated code execution. Apps using React Server Components may be exposed even without Server Function endpoints. The researcher warned that this flaw can be exploited to gain access to sensitive data or disrupt the normal functioning of a server.
Fortunately, versions 19.0.1, 19.1.2, and 19.2.1 addressed the flaw. Amazon detected China-linked groups exploiting CVE-2025-55182 (React2Shell) within hours of its December 3 disclosure. AWS services aren’t impacted, but customers running affected versions should act immediately.
The Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities emphasizes the importance of addressing identified vulnerabilities by their due dates to protect networks against attacks exploiting the flaws in the catalog. Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by December 26, 2025. This order serves as a reminder that software updates are not just a best practice but a critical component of maintaining a secure cybersecurity posture.
In conclusion, the addition of this React Server Components flaw to the KEV catalog highlights the importance of staying vigilant about security vulnerabilities in widely used technologies and being proactive about updating software. By taking these steps, individuals and organizations can help protect themselves against potential attacks and maintain the integrity of their networks.
Related Information:
https://www.ethicalhackingnews.com/articles/US-CISA-Adds-React-Server-Components-Flaw-to-Known-Exploited-Vulnerabilities-Catalog-A-Cautionary-Tale-of-Software-Security-ehn.shtml
https://securityaffairs.com/185427/security/u-s-cisa-adds-a-meta-react-server-components-flaw-to-its-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
Published: Mon Dec 8 03:47:47 2025 by llama3.2 3B Q4_K_M
