1. Home
  2. Vulnerabilities
  3. CVE-2025-55182
Known Exploited Vulnerability
10.0
CRITICAL CVSS 3.1
CVE-2025-55182
Meta React Server Components Remote Code Execution Vulnerability - [Actively Exploited]
Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

INFO

Published Date :

Dec. 3, 2025, 4:15 p.m.

Last Modified :

Dec. 6, 2025, 2 a.m.

Remotely Exploit :

No

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182

Affected Products

The following products are affected by CVE-2025-55182 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Vercel next.js
1 Facebook react
: Total Affected Vendor : 2 | Products : 2
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 4fc57720-52fe-4431-a0fb-3d2c8747b827
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 CRITICAL MITRE-CVE
Solution
Update React Server Components to a patched version to fix unsafe deserialization.
  • Update React Server Components to a secure version.
  • Remove vulnerable packages like react-server-dom-parcel.
  • Apply security patches for affected packages.
  • Validate server function endpoint security.
Public PoC/Exploit Available at Github

CVE-2025-55182 has a 695 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-55182.

URL Resource
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Patch Vendor Advisory
https://www.facebook.com/security/advisories/cve-2025-55182 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/03/4 Mailing List Patch Third Party Advisory
https://news.ycombinator.com/item?id=46136026 Issue Tracking
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-55182 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-55182 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
d01ki/react2shell-lab

React2Shell vulnerability verification lab for BreachPilot testing (CVE-2025-55182 simulation)

JavaScript HTML

Updated: 8 hours, 5 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 24, 2025, 1:30 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
Atindra11Mishra/tencent-red-agent

None

Dockerfile Python HTML JavaScript Go CSS Shell

Updated: 11 hours, 21 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 23, 2025, 10:18 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
Anon2Fear/Anon2Fear

None

Updated: 17 hours, 55 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 23, 2025, 3:16 p.m. This repo has been linked 3 different CVEs too.
Profile Photo
Anon2Fear/CVE-2025-55182

Interactive RCE exploitation tool for CVE-2025-55182 (React Server Components)

cve-2025-55182 exploit golan rce

Go

Updated: 18 hours, 45 minutes ago
1 stars 0 fork 0 watcher
Born at : Dec. 23, 2025, 2:44 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
findthehead/Threatviz

Threatviz is a groundbreaking AI powered multi-agent threat modeling platform using CVE.

Python HTML

Updated: 19 hours, 56 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 23, 2025, 12:40 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
ckex/test-vuln

a controlled environment to test CVE-2025-55182.

Updated: 1 day, 4 hours ago
0 stars 0 fork 0 watcher
Born at : Dec. 23, 2025, 5:21 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
p3ta00/p3ta00

Profile README

Updated: 1 day, 6 hours ago
0 stars 0 fork 0 watcher
Born at : Dec. 23, 2025, 3:17 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
S3cr3t-SDN/React4Shell

Exploit Code for React2Shell RCE vulnerability (CVE-2025-55182) affecting React Server Components 19.0.0-19.2.0. Exploits unsafe deserialization for unauthenticated remote code execution.

Go

Updated: 1 day, 11 hours ago
1 stars 0 fork 0 watcher
Born at : Dec. 22, 2025, 10:18 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
BlackTechX011/React2Shell

React2Shell: An exploitation framework for CVE-2025-55182 (Next.js/React RCE).

cve-2025-55182 cve-2025-55182-ctf nextjs nextjs-vulnerability rce react react-rce react2shell react2shell-scanner reactjs react2shell-exploitation react2shell-exploitation-tool reactjs-vulnerability

Python

Updated: 1 day, 20 hours ago
2 stars 0 fork 0 watcher
Born at : Dec. 22, 2025, 12:36 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
knightwolf01/React2Shell

React2Shell Critical Vulnerability (CVE-2025-55182)

JavaScript

Updated: 1 day, 21 hours ago
0 stars 0 fork 0 watcher
Born at : Dec. 22, 2025, 12:30 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
Anoop1925/Sukoon

None

HTML JavaScript TypeScript CSS

Updated: 4 hours, 31 minutes ago
0 stars 0 fork 0 watcher
Born at : Dec. 22, 2025, 10:34 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
proleternal/Lab2

None

Updated: 1 day, 22 hours ago
0 stars 0 fork 0 watcher
Born at : Dec. 22, 2025, 10:12 a.m. This repo has been linked 10 different CVEs too.
Profile Photo
bitnalchan92/hairshop_resv_project

None

Java TypeScript CSS JavaScript

Updated: 2 days, 1 hour ago
0 stars 0 fork 0 watcher
Born at : Dec. 22, 2025, 8:22 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
deduliya/Lab_2

None

Updated: 1 day, 14 hours ago
0 stars 0 fork 0 watcher
Born at : Dec. 22, 2025, 5:20 a.m. This repo has been linked 10 different CVEs too.
Profile Photo
nischitpatel/react2shell

None

CSS TypeScript JavaScript

Updated: 2 days, 9 hours ago
0 stars 0 fork 0 watcher
Born at : Dec. 22, 2025, 12:29 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-55182 vulnerability anywhere in the article.

  • Daily CyberSecurity
Operation PCPcat: 60,000 Next.js Servers Hijacked in Just 48 Hours

A highly automated and ruthlessly efficient cyber-espionage campaign is tearing through the cloud infrastructure of modern web applications, leaving tens of thousands of compromised servers in its wak ... Read more

Published Date: Dec 24, 2025 (9 hours, 34 minutes ago)
  • Huntress
Tradecraft Tuesday Recap: React2Shell, ClickFix, and the Rise of AI Scams

Every security professional knows the drill. You go home for the holidays and, without volunteering, you become the family’s help desk, incident responder, and fraud advisor. Somewhere between dinner ... Read more

Published Date: Dec 23, 2025 (1 day, 1 hour ago)
  • hackread.com
Hackers Abuse Popular Monitoring Tool Nezha as a Stealth Trojan

A popular software tool used by website owners to check their server’s health is now being used by hackers to take complete control of computers. Researchers at the cybersecurity firm Ontinue have dis ... Read more

Published Date: Dec 22, 2025 (1 day, 20 hours ago)
  • CybersecurityNews
OpenAI GPT-5.2-Codex Supercharges Agentic Coding and Vulnerability Detection

OpenAI has unveiled GPT-5.2-Codex, a cutting-edge model optimized for agentic coding and enhanced cybersecurity tasks. The release highlights breakthroughs in handling complex software engineering and ... Read more

Published Date: Dec 19, 2025 (5 days, 6 hours ago)
  • The Hacker News
ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories

This week's ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the ... Read more

Published Date: Dec 18, 2025 (5 days, 20 hours ago)
  • The Register
React2Shell exploitation spreads as Microsoft counts hundreds of hacked machines

Microsoft says attackers have already compromised "several hundred machines across a diverse set of organizations" via the React2Shell flaw, using the access to execute code, deploy malware, and, in s ... Read more

Published Date: Dec 18, 2025 (5 days, 22 hours ago)
  • Help Net Security
More than half of public vulnerabilities bypass leading WAFs

Miggo Security has released a new report that examines how web application firewalls are used across real-world security programs. The research outlines the role WAFs play as foundational infrastructu ... Read more

Published Date: Dec 18, 2025 (5 days, 22 hours ago)
  • BleepingComputer
Critical React2Shell flaw exploited in ransomware attacks

A ransomware gang exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks and deployed the file-encrypting malware less than a minute later. Reac ... Read more

Published Date: Dec 17, 2025 (6 days, 17 hours ago)
  • CybersecurityNews
Microsoft Details Mitigations Against React2Shell RCE Vulnerability in React Server Components

Microsoft has released comprehensive mitigations for a critical vulnerability dubbed React2Shell (CVE-2025-55182), which poses severe risks to React Server Components and Next.js environments. With a ... Read more

Published Date: Dec 16, 2025 (1 week ago)
  • hackread.com
JumpCloud Remote Assist Flaw Lets Users Gain Full Control of Company Devices

A major security problem has been found in the JumpCloud Remote Assist for Windows agent, a tool used by over 180,000 organisations across 160 countries to manage their computers. This issue could all ... Read more

Published Date: Dec 16, 2025 (1 week ago)
  • security.nl
Google en Microsoft melden misbruik van kritiek React2Shell-lek

Aanvallers maken misbruik van een kritieke kwetsbaarheid in React Server Components, ook bekend als React2Shell en CVE-2025-55182, zo stellen Microsoft en Google in analyses.Daarbij spreekt Google zel ... Read more

Published Date: Dec 16, 2025 (1 week ago)
  • The Hacker News
React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors

The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT ... Read more

Published Date: Dec 16, 2025 (1 week, 1 day ago)
  • Daily CyberSecurity
BlackForce PhaaS Weaponizes React and Stateful Sessions to Bypass MFA & Steal Credentials

A sophisticated new player has entered the Phishing-as-a-Service (PhaaS) market, offering cybercriminals a powerful toolset designed to bypass modern security controls with alarming ease. Dubbed Black ... Read more

Published Date: Dec 16, 2025 (1 week, 1 day ago)
  • CybersecurityNews
ZnDoor Malware Exploiting React2Shell Vulnerability to Compromise Network Devices

Since December 2025, a concerning trend has emerged across Japanese organizations as attackers exploit a critical vulnerability in React/Next.js applications. The vulnerability, tracked as CVE-2025-55 ... Read more

Published Date: Dec 15, 2025 (1 week, 1 day ago)
  • The Register
China, Iran are having a field day with React2Shell, Google warns

At least five more Chinese spy crews, Iran-linked goons, and financially motivated criminals are now attacking the React2Shell, a maximum-severity flaw in the widely used React JavaScript library, acc ... Read more

Published Date: Dec 15, 2025 (1 week, 1 day ago)
  • hackread.com
GitHub Scanner for React2Shell (CVE-2025-55182) Turns Out to Be Malware

A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, w ... Read more

Published Date: Dec 15, 2025 (1 week, 1 day ago)
  • BleepingComputer
Google links more Chinese hacking groups to React2Shell attacks

​Over the weekend, ​Google's threat intelligence team linked five more Chinese hacking groups to attacks exploiting the maximum-severity "React2Shell" remote code execution vulnerability. Tracked as C ... Read more

Published Date: Dec 15, 2025 (1 week, 1 day ago)
  • hackread.com
Critical React2Shell Vulnerability (CVE-2025-55182) Analysis: Surge in Attacks Targeting RSC-Enabled Services Worldwide

Torrance, United States / California, December 12th, 2025, CyberNewsWire In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React Server Components (RSC) that enables remote code execu ... Read more

Published Date: Dec 15, 2025 (1 week, 2 days ago)
  • CybersecurityNews
Cybersecurity News Weekly Newsletter – Windows, Chrome, and Apple 0-days, Kali Linux 2025.4, and MITRE Top 25

As 2025 nears its close, the cybersecurity landscape shows no signs of slowing down. This week’s developments highlight how rapidly the threat environment continues to evolve with major zero-day vulne ... Read more

Published Date: Dec 14, 2025 (1 week, 2 days ago)
  • CybersecurityNews
Google Warns Multiple Hacker Groups Are Exploiting React2Shell to Spread Malware

Google Threat Intelligence Group (GTIG) has issued a warning regarding the widespread exploitation of a critical security flaw in React Server Components. Known as React2Shell (CVE-2025-55182), this v ... Read more

Published Date: Dec 13, 2025 (1 week, 3 days ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-55182 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Dec. 06, 2025

    Action Type Old Value New Value
    Added Date Added 2025-12-05
    Added Due Date 2025-12-26
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name Meta React Server Components Remote Code Execution Vulnerability
  • Initial Analysis by [email protected]

    Dec. 05, 2025

    Action Type Old Value New Value
    Added CWE CWE-502
    Added CPE Configuration OR *cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*
    Added CPE Configuration OR *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.0.0 up to (excluding) 15.0.5 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.1.0 up to (excluding) 15.1.9 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.2.0 up to (excluding) 15.2.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.3.0 up to (excluding) 15.3.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.4.0 up to (excluding) 15.4.8 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.5.0 up to (excluding) 15.5.7 *cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 16.0.0 up to (excluding) 16.0.7 *cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*
    Added Reference Type Facebook, Inc.: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Types: Patch, Vendor Advisory
    Added Reference Type Facebook, Inc.: https://www.facebook.com/security/advisories/cve-2025-55182 Types: Vendor Advisory
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 Types: US Government Resource
    Added Reference Type CISA-ADP: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Types: Third Party Advisory
    Added Reference Type CVE: https://news.ycombinator.com/item?id=46136026 Types: Issue Tracking
    Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2025/12/03/4 Types: Mailing List, Patch, Third Party Advisory
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Dec. 05, 2025

    Action Type Old Value New Value
    Added Reference https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 04, 2025

    Action Type Old Value New Value
    Removed Reference https://github.com/ejpir/CVE-2025-55182-poc
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 04, 2025

    Action Type Old Value New Value
    Added Reference https://github.com/ejpir/CVE-2025-55182-poc
    Added Reference https://news.ycombinator.com/item?id=46136026
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 03, 2025

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2025/12/03/4
  • New CVE Received by [email protected]

    Dec. 03, 2025

    Action Type Old Value New Value
    Added Description A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    Added Reference https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
    Added Reference https://www.facebook.com/security/advisories/cve-2025-55182
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 10
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact