CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components	Patch Vendor Advisory
https://www.facebook.com/security/advisories/cve-2025-55182	Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/03/4	Mailing List Patch Third Party Advisory
https://news.ycombinator.com/item?id=46136026	Issue Tracking
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/	Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182	US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:facebook:react:19.0.0:::::::*
	cpe:2.3:a:facebook:react:19.1.0:::::::*
	cpe:2.3:a:facebook:react:19.1.1:::::::*
	cpe:2.3:a:facebook:react:19.2.0:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js::::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary77::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary78::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary79::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary80::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary81::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary82::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary83::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary84::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary85::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary86::::node.js::*
	cpe:2.3:a:vercel:next.js:14.3.0:canary87::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:-::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary0::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary1::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary10::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary11::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary12::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary13::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary14::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary15::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary16::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary17::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary18::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary19::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary2::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary20::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary21::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary22::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary23::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary24::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary25::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary26::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary27::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary28::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary29::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary3::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary30::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary31::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary32::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary33::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary34::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary35::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary36::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary37::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary38::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary39::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary4::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary40::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary41::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary42::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary43::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary44::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary45::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary46::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary47::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary48::::node.js::*
	cpe:2.3:a:vercel:next.js:15.6.0:canary49::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary5::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary50::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary51::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary52::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary53::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary54::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary55::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary56::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary57::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary6::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary7::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary8::::node.js::*
cpe:2.3:a:vercel:next.js:15.6.0:canary9::::node.js::*
cpe:2.3:a:vercel:next.js:16.0.0:-::::node.js::*

History

No history.

Information

Published : 2025-12-03 16:15

Updated : 2025-12-10 02:00

NVD link : CVE-2025-55182

Mitre link : CVE-2025-55182

CVE.ORG link : CVE-2025-55182

JSON object : View

Products Affected

facebook

react

vercel

next.js

CWE

CWE-502

Deserialization of Untrusted Data

10.0 /10