A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since yesterday.

Exploitation active

Automatable yes

Technical Impact total

Affected Vendors & Products

Vendors Products
Facebook
  • React
  • React-server-dom-parcel
  • React-server-dom-turbopack
  • React-server-dom-webpack
Vercel
  • Next.js

Configuration 1 [-]

OR cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*
cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:*

No data.

References
Link Providers
http://www.openwall.com/lists/oss-security/2025/12/03/4 cve-icon
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ cve-icon cve-icon
https://news.ycombinator.com/item?id=46136026 cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-55182 cve-icon
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components cve-icon cve-icon cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-55182 cve-icon
https://www.facebook.com/security/advisories/cve-2025-55182 cve-icon cve-icon cve-icon
History

Fri, 05 Dec 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Facebook react
Vercel
Vercel next.js
CPEs cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*
cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*
cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*
cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:*
cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:*
Vendors & Products Facebook react
Vercel
Vercel next.js

Fri, 05 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 14:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2025-12-05T00:00:00+00:00', 'dueDate': '2025-12-26T00:00:00+00:00'}

Fri, 05 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Title next: From CVEorg collector
Weaknesses CWE-502
References
Metrics threat_severity

None

 threat_severity

Critical

Thu, 04 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Facebook
Facebook react-server-dom-parcel
Facebook react-server-dom-turbopack
Facebook react-server-dom-webpack
Vendors & Products Facebook
Facebook react-server-dom-parcel
Facebook react-server-dom-turbopack
Facebook react-server-dom-webpack

Thu, 04 Dec 2025 01:30:00 +0000

Type Values Removed Values Added
References

Wed, 03 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
References

Wed, 03 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Dec 2025 16:00:00 +0000

Type Values Removed Values Added
Description A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: Meta

Published: 2025-12-03T15:40:56.894Z

Updated: 2025-12-06T04:55:42.660Z

Reserved: 2025-08-08T18:21:47.119Z

Link: CVE-2025-55182

cve-icon Vulnrichment

Updated: 2025-12-04T17:32:12.884Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-03T16:15:56.463

Modified: 2025-12-06T02:00:02.510

Link: CVE-2025-55182

cve-icon Redhat

Severity : Critical

Publid Date: 2025-12-03T15:40:56Z

Links: CVE-2025-55182 - Bugzilla