CVE-2025-55182 - Vulnerability Details

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Published: 2025-12-03

Score: 10 Critical

EPSS: 84.0% High

KEV: Yes

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Meta

react-server-dom-parcel

unaffected

Version	Status	Constraints
`19.0.0`	affected	≤ 19.0.0
`19.1.0`	affected	≤ 19.1.1
`19.2.0`	affected	≤ 19.2.0

Configuration 1 [-]

OR	cpe:2.3:a:facebook:react:19.0.0:::::::*
	cpe:2.3:a:facebook:react:19.1.0:::::::*
	cpe:2.3:a:facebook:react:19.1.1:::::::*
	cpe:2.3:a:facebook:react:19.2.0:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary77::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary78::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary79::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary80::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary81::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary82::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary83::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary84::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary85::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary86::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary87::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:-::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary0::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary1::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary10::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary11::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary12::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary13::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary14::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary15::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary16::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary17::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary18::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary19::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary2::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary20::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary21::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary22::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary23::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary24::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary25::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary26::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary27::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary28::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary29::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary3::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary30::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary31::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary32::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary33::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary34::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary35::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary36::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary37::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary38::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary39::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary4::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary40::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary41::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary42::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary43::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary44::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary45::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary46::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary47::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary48::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary49::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary5::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary50::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary51::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary52::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary53::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary54::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary55::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary56::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary57::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary6::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary7::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary8::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary9::::node.js::*
cpe:2.3:a:vercel:next.js:16.0.0:-::::node.js::*

No data.

Vendor	Product	Confidence	Versions
Facebook	React-server-dom-parcel	—	—
Facebook	React-server-dom-turbopack	—	—
Facebook	React-server-dom-webpack	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-fv66-9v8q-g76r	React Server Components are Vulnerable to RCE

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since Dec. 5, 2025.

The EPSS score is 0.83955.

Exploitation active

Automatable yes

Technical Impact total

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/12/03/4
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
https://news.ycombinator.com/item?id=46136026
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
https://www.cve.org/CVERecord?id=CVE-2025-55182
https://www.facebook.com/security/advisories/cve-2025-55182

History

Fri, 05 Dec 2025 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Facebook react Vercel Vercel next.js
CPEs		cpe:2.3:a:facebook:react:19.0.0:::::::* cpe:2.3:a:facebook:react:19.1.0:::::::* cpe:2.3:a:facebook:react:19.1.1:::::::* cpe:2.3:a:facebook:react:19.2.0:::::::* cpe:2.3:a:vercel:next.js::::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary77::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary78::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary79::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary80::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary81::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary82::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary83::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary84::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary85::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary86::::node.js::* cpe:2.3:a:vercel:next.js:14.3.0:canary87::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:-::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary0::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary10::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary11::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary12::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary13::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary14::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary15::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary16::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary17::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary18::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary19::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary1::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary20::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary21::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary22::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary23::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary24::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary25::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary26::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary27::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary28::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary29::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary2::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary30::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary31::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary32::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary33::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary34::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary35::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary36::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary37::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary38::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary39::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary3::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary40::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary41::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary42::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary43::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary44::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary45::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary46::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary47::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary48::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary49::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary4::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary50::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary51::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary52::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary53::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary54::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary55::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary56::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary57::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary5::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary6::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary7::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary8::::node.js::* cpe:2.3:a:vercel:next.js:15.6.0:canary9::::node.js::* cpe:2.3:a:vercel:next.js:16.0.0:-::::node.js::*
Vendors & Products		Facebook react Vercel Vercel next.js

Fri, 05 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
References		https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 05 Dec 2025 14:45:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2025-12-05T00:00:00+00:00', 'dueDate': '2025-12-26T00:00:00+00:00'}`

Fri, 05 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
Title		next: From CVEorg collector
Weaknesses		CWE-502
References		https://nvd.nist.gov/vuln/detail/CVE-2025-55182 https://www.cve.org/CVERecord?id=CVE-2025-55182
Metrics	threat_severity `None`	threat_severity `Critical`

Thu, 04 Dec 2025 18:30:00 +0000

Type	Values Removed	Values Added
References	https://github.com/ejpir/CVE-2025-55182-poc

Thu, 04 Dec 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Facebook Facebook react-server-dom-parcel Facebook react-server-dom-turbopack Facebook react-server-dom-webpack
Vendors & Products		Facebook Facebook react-server-dom-parcel Facebook react-server-dom-turbopack Facebook react-server-dom-webpack

Thu, 04 Dec 2025 01:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/ejpir/CVE-2025-55182-poc https://news.ycombinator.com/item?id=46136026

Wed, 03 Dec 2025 21:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/12/03/4

Wed, 03 Dec 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 03 Dec 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description		A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
References		https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components https://www.facebook.com/security/advisories/cve-2025-55182
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Facebook React React-server-dom-parcel React-server-dom-turbopack React-server-dom-webpack

Vercel Next.js

MITRE

Status: PUBLISHED

Assigner: Meta

Published: 2025-12-03T15:40:56.894Z

Updated: 2026-02-26T16:57:36.794Z

Reserved: 2025-08-08T18:21:47.119Z

Link: CVE-2025-55182

Vulnrichment

Updated: 2025-12-04T17:32:12.884Z

NVD

Status : Analyzed

Published: 2025-12-03T16:15:56.463

Modified: 2025-12-06T02:00:02.510

Link: CVE-2025-55182

Redhat

Severity : Critical

Publid Date: 2025-12-03T15:40:56Z

Links: CVE-2025-55182 - Bugzilla

OpenCVE Enrichment

Updated: 2025-12-04T16:44:12Z

Weaknesses

CWE-502

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation active

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object