CVE-2025-55182
CRITICAL CISA KEV EPSS 99.9%
Published Dec 3, 20256mo ago · Modified Jun 17, 20261w ago
10.0 CVSS 3.1
Published Dec 3, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Dec 5, 2025 6mo ago
KEV Due Dec 12, 2025 199d overdue
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High
Threat Intelligence
CISA Known Exploited Overdue 199d
- Added
- Dec 5, 2025
- Due
- Dec 12, 2025
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
EPSS Exploit Probability
99.9% percentile
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available
Weaknesses 1
CWE-502 Deserialization of Untrusted Data Validation
Affected Products 82
| Vendor | Product | Version | Range |
|---|---|---|---|
| react | 19.0.0 | any | |
| react | 19.1.0 | any | |
| react | 19.1.1 | any | |
| react | 19.2.0 | any | |
| vercel | next.js | * | ≥15.0.0 – <15.0.5 |
| vercel | next.js | * | ≥15.1.0 – <15.1.9 |
| vercel | next.js | * | ≥15.2.0 – <15.2.6 |
| vercel | next.js | * | ≥15.3.0 – <15.3.6 |
| vercel | next.js | * | ≥15.4.0 – <15.4.8 |
| vercel | next.js | * | ≥15.5.0 – <15.5.7 |
| vercel | next.js | * | ≥16.0.0 – <16.0.7 |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 14.3.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 15.6.0 | any |
| vercel | next.js | 16.0.0 | any |
References 6
- openwall.com http://www.openwall.com/lists/oss-security/2025/12/03/4
- aws.amazon.com https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
- news.ycombinator.com https://news.ycombinator.com/item?id=46136026
- react.dev https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
- facebook.com https://www.facebook.com/security/advisories/cve-2025-55182
Remediation
- openwall.com http://www.openwall.com/lists/oss-security/2025/12/03/4
- react.dev https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components