CVE-2025-55182

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

CVSS Metrics

• v3.1•CRITICAL•Score: 10CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 65.08%• Percentile: 98%

Techniques & Countermeasures

• CWE-502•Deserialization of Untrusted Data

  The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

• facebook•react

  19.0.0 | 19.1.0 | 19.1.1 | 19.2.0

• meta•react-server-dom-parcel

  19.0.0 | ≥ 19.1.0, ≤ 19.1.1 | 19.2.0

• meta•react-server-dom-turbopack

  19.0.0 | ≥ 19.1.0, ≤ 19.1.1 | 19.2.0

• meta•react-server-dom-webpack

  19.0.0 | ≥ 19.1.0, ≤ 19.1.1 | 19.2.0

• Npm•react-server-dom-parcel

  ≥ 19.0.0, < 19.0.1 | ≥ 19.1.0, < 19.1.2 | ≥ 19.2.0, < 19.2.1

• Npm•react-server-dom-turbopack

  ≥ 19.0.0, < 19.0.1 | ≥ 19.1.0, < 19.1.2 | ≥ 19.2.0, < 19.2.1

• Npm•react-server-dom-webpack

  ≥ 19.0.0, < 19.0.1 | ≥ 19.1.0, < 19.1.2 | ≥ 19.2.0, < 19.2.1

• vercel•next.js

  ≥ 15.0.0, < 15.0.5 | ≥ 15.1.0, < 15.1.9 | ≥ 15.2.0, < 15.2.6 | ≥ 15.3.0, < 15.3.6 | ≥ 15.4.0, < 15.4.8 | ≥ 15.5.0, < 15.5.7 | ≥ 16.0.0, < 16.0.7 | 14.3.0:canary77 | 14.3.0:canary78 | 14.3.0:canary79 | 14.3.0:canary80 | 14.3.0:canary81 | 14.3.0:canary82 | 14.3.0:canary83 | 14.3.0:canary84 | 14.3.0:canary85 | 14.3.0:canary86 | 14.3.0:canary87 | 15.6.0 | 15.6.0:canary0 | 15.6.0:canary1 | 15.6.0:canary10 | 15.6.0:canary11 | 15.6.0:canary12 | 15.6.0:canary13 | 15.6.0:canary14 | 15.6.0:canary15 | 15.6.0:canary16 | 15.6.0:canary17 | 15.6.0:canary18 | 15.6.0:canary19 | 15.6.0:canary2 | 15.6.0:canary20 | 15.6.0:canary21 | 15.6.0:canary22 | 15.6.0:canary23 | 15.6.0:canary24 | 15.6.0:canary25 | 15.6.0:canary26 | 15.6.0:canary27 | 15.6.0:canary28 | 15.6.0:canary29 | 15.6.0:canary3 | 15.6.0:canary30 | 15.6.0:canary31 | 15.6.0:canary32 | 15.6.0:canary33 | 15.6.0:canary34 | 15.6.0:canary35 | 15.6.0:canary36 | 15.6.0:canary37 | 15.6.0:canary38 | 15.6.0:canary39 | 15.6.0:canary4 | 15.6.0:canary40 | 15.6.0:canary41 | 15.6.0:canary42 | 15.6.0:canary43 | 15.6.0:canary44 | 15.6.0:canary45 | 15.6.0:canary46 | 15.6.0:canary47 | 15.6.0:canary48 | 15.6.0:canary49 | 15.6.0:canary5 | 15.6.0:canary50 | 15.6.0:canary51 | 15.6.0:canary52 | 15.6.0:canary53 | 15.6.0:canary54 | 15.6.0:canary55 | 15.6.0:canary56 | 15.6.0:canary57 | 15.6.0:canary6 | 15.6.0:canary7 | 15.6.0:canary8 | 15.6.0:canary9 | 16.0.0

References (15)

• https://www.facebook.com/security/advisories/cve-2025-55182
• https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
• http://www.openwall.com/lists/oss-security/2025/12/03/4
• https://news.ycombinator.com/item?id=46136026
• https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
• https://nvd.nist.gov/vuln/detail/CVE-2025-55182
• https://github.com/facebook/react/pull/35277
• https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700
• https://github.com/ejpir/CVE-2025-55182-poc
• https://github.com/facebook/react
• https://github.com/facebook/react/releases/tag/v19.0.1
• https://github.com/facebook/react/releases/tag/v19.1.2
• https://github.com/facebook/react/releases/tag/v19.2.1