CVE-2025-55182
Meta React Server Components Remote Code Execution Vulnerability - [Actively Exploited]
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
INFO
Published Date :
Dec. 3, 2025, 4:15 p.m.
Last Modified :
Dec. 6, 2025, 2 a.m.
Remotely Exploit :
No
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Detected Feb 26, 2026
Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://github.com/vercel-labs/fix-react2shell-next?tab=readme-ov-file ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 4fc57720-52fe-4431-a0fb-3d2c8747b827 | ||||
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | MITRE-CVE |
Solution
- Update React Server Components to a secure version.
- Remove vulnerable packages like react-server-dom-parcel.
- Apply security patches for affected packages.
- Validate server function endpoint security.
Public PoC/Exploit Available at Github
CVE-2025-55182 has a 1010 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-55182.
| URL | Resource |
|---|---|
| https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components | Patch Vendor Advisory |
| https://www.facebook.com/security/advisories/cve-2025-55182 | Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2025/12/03/4 | Mailing List Patch Third Party Advisory |
| https://news.ycombinator.com/item?id=46136026 | Issue Tracking |
| https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ | Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-55182 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-55182
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Agentic AI in action
HTML Svelte TypeScript JavaScript
A collection of standalone Bash scripts that detect indicators of compromise (IoCs) for specific CVEs.
Shell Makefile
Open-source security scanner and configuration auditor for Vercel. 130+ checks across 20 categories. Finds leaked tokens, WAF gaps, NEXT_PUBLIC_ secret leaks, subdomain takeover risks, Next.js CVEs, and more. Single binary, zero dependencies.
cli cloud-security compliance cspm devsecops golang misconfiguration nextjs nextjs-security pentesting posture-management prowler scoutsuite security security-audit security-scanner security-tools subdomain-takeover vercel vercel-security
Makefile Go Shell
Intentionally vulnerable Next.js RSC Docker lab for CVE-2025-55182 (React2Shell) local testing
Dockerfile TypeScript
None
Dockerfile Shell
Master's Thesis research on CVE-2025-55182 (React2Shell). Advanced exploit with 4 attack vectors, interactive shell, and complete vulnerable laboratory. Portfolio piece demonstrating security research and exploit development.
Python JavaScript TypeScript Shell
Khai thác lỗ hổng bảo mật CVE-2025-55182 trong thành phần React
A tool for people curious about the React Server Components protocol
HTML JavaScript TypeScript CSS
CVE-2025-55182 — React2Shell
cve-2025-55182 vibe-coding
Shell Nix Python Dockerfile TypeScript
None
适用于Node.js环境下的Suo5内存马.
JavaScript
Snippets de Licencia MIT para VibeCodingMexico.com
PHP
None
Python
REC Exploit is a Python-based security testing tool that automates detection of potential RCE conditions in web applications under authorized environments. It sends crafted POST requests to targets, analyzes server responses for execution indicators, and supports batch scanning with custom input, structured payload handling, and clear CLI output.
Python
Proof-of-concept for CVE-2025-55182 (React2Shell): unauthenticated RCE in React Server Components / Next.js via Flight protocol deserialization.
Dockerfile TypeScript CSS JavaScript
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-55182 vulnerability anywhere in the article.
-
Help Net Security
Vulnerabilities from years ago still opening doors for attackers
Exploitation timelines continued to compress in enterprise environments, with newly disclosed flaws reaching active use almost immediately and older weaknesses remaining active years after disclosure. ... Read more
-
Daily CyberSecurity
Critical Jenkins Flaws Expose CI/CD Servers to Remote Code Execution
The Jenkins project has released a critical security advisory addressing multiple vulnerabilities that could lead to full system compromise. The advisory highlights two high-severity flaws in the Jenk ... Read more
-
CybersecurityNews
RondoDox Botnet Expands to 174 Exploits, Leveraging Residential IP Infrastructure at Scale
A newly tracked botnet called RondoDox has quietly built itself into one of the more concerning threats observed in recent months, combining an unusually large collection of exploits with a calculated ... Read more
-
Help Net Security
Agentic attack chains advance as infostealers flood criminal markets
Cybercriminals spent much of 2025 automating their operations, shifting from one-off attacks to systems that can run entire intrusion cycles with minimal human input. Data collected from criminal foru ... Read more
-
Hackread - Cybersecurity News, Data Breaches, AI and More
900+ Certificates Used by Fortune 500, Governments Exposed by Key Leaks
A massive security gap has been brought to light by the research firm GitGuardian in partnership with Google. The study reveals that the private keys used to protect some of the world’s most important ... Read more
-
CybersecurityNews
Suspected DPRK Threat Actors Compromise Crypto Firms, Steal Keys and Cloud Assets in Coordinated Attacks
A coordinated campaign targeting cryptocurrency organizations has drawn attention from the security community, with evidence pointing to threat actors potentially linked to North Korea’s state-sponsor ... Read more
-
Daily CyberSecurity
Suspected North Korean Actors Target the Cryptocurrency Supply Chain
Web-app exploitation | Image: Ctrl-Alt-Intel Cybersecurity researchers at Ctrl-Alt-Intel have released a detailed investigation into a systematic campaign targeting the heart of the cryptocurrency ind ... Read more
-
Huntress
The Evolving Linux Threat Landscape
Introduction Linux is the backbone of the enterprise, supporting critical applications, web servers, cloud infrastructure, hypervisors, containers, CI/CD pipelines, and more. This makes it a high-valu ... Read more
-
The Cloudflare Blog
Introducing the 2026 Cloudflare Threat Report
Introducing the 2026 Cloudflare Threat Report2026-03-035 min readToday’s threat landscape is more varied and chilling than ever: Sophisticated nation-state actors. Hyper-volumetric DDoS attacks. Deepf ... Read more
-
Hackread - Cybersecurity News, Data Breaches, AI and More
Report Finds Just 1% of Security Flaws Drive Most Cyberattacks in 2025
While thousands of security flaws are reported every year, a new investigation has found that the vast majority are never actually used. Instead, a small group of “routinely targeted” flaws are doing ... Read more
-
Daily CyberSecurity
The Three-Year Shadow: Critical CVSS 10 Cisco SD-WAN Zero-Day Exploited by UAT-8616
Cisco Talos has issued a high-alert warning regarding the active exploitation of CVE-2026-20127, a critical vulnerability affecting the Cisco Catalyst SD-WAN Controller. This CVSS 10 vulnerability all ... Read more
-
Help Net Security
Edge systems take the brunt of internet-wide exploitation attempts
Internet-facing VPNs, routers, and remote access services absorbed sustained exploitation attempts throughout the second half of 2025, with nearly 3 billion malicious sessions recorded over 162 days. ... Read more
-
Daily CyberSecurity
Machine-Speed Intrusions: How One Hacker Used DeepSeek and Claude to Scale a Global Campaign
A report by threat researcher @goyaramen reveals a sophisticated software pipeline that embeds Large Language Models (LLMs) directly into a malicious intrusion workflow, allowing a likely lone operato ... Read more
-
The Hacker News
Wormable XMRig Campaign Uses BYOVD Exploit and Time-Based Logic Bomb
Cybersecurity researchers have disclosed details of a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner program on compromised hosts. "Analysis of ... Read more
-
Daily CyberSecurity
The Rise of Vibecoding: AI-Generated Malware Exploits React2Shell
A new class of cyberattack has been caught in the wild, one where the code isn’t written by a human hand, but generated entirely by artificial intelligence. Darktrace has released a report detailing a ... Read more
-
CybersecurityNews
ILOVEPOOP Toolkit Exploiting React2Shell Vulnerability to Deploy Malicious Payload
The cybersecurity sector has been impacted by the sudden appearance of “React2Shell” (CVE-2025-55182), a critical vulnerability affecting Next.js and React Server Components. Following its public disc ... Read more
-
The Hacker News
TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
Cybersecurity researchers have called attention to a "massive campaign" that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation. The ac ... Read more
-
Hackread - Cybersecurity News, Data Breaches, AI and More
17% of 3rd-Party Add-Ons for OpenClaw Used in Crypto Theft and macOS Malware
Bitdefender Labs reveals that 17% of OpenClaw AI skills analyzed in February 2026 are malicious. With over 160,000 stars on GitHub, OpenClaw is being exploited to steal crypto keys and install macOS m ... Read more
-
The Hacker News
Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers
Cybersecurity researchers have disclosed details of an active web traffic hijacking campaign that has targeted NGINX installations and management panels like Baota (BT) in an attempt to route it throu ... Read more
-
CybersecurityNews
Chrome Vulnerabilities Let Attackers Execute Arbitrary Code and Crash System
Chrome Vulnerabilities Arbitrary Code Google has released a critical security update for the Chrome Stable channel, addressing two high-severity vulnerabilities that expose users to potential arbitrar ... Read more
The following table lists the changes that have been made to the
CVE-2025-55182 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Dec. 06, 2025
Action Type Old Value New Value Added Date Added 2025-12-05 Added Due Date 2025-12-26 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Meta React Server Components Remote Code Execution Vulnerability -
Initial Analysis by [email protected]
Dec. 05, 2025
Action Type Old Value New Value Added CWE CWE-502 Added CPE Configuration OR *cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.0.0 up to (excluding) 15.0.5 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.1.0 up to (excluding) 15.1.9 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.2.0 up to (excluding) 15.2.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.3.0 up to (excluding) 15.3.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.4.0 up to (excluding) 15.4.8 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.5.0 up to (excluding) 15.5.7 *cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 16.0.0 up to (excluding) 16.0.7 *cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:* Added Reference Type Facebook, Inc.: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Types: Patch, Vendor Advisory Added Reference Type Facebook, Inc.: https://www.facebook.com/security/advisories/cve-2025-55182 Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 Types: US Government Resource Added Reference Type CISA-ADP: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Types: Third Party Advisory Added Reference Type CVE: https://news.ycombinator.com/item?id=46136026 Types: Issue Tracking Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2025/12/03/4 Types: Mailing List, Patch, Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 05, 2025
Action Type Old Value New Value Added Reference https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 04, 2025
Action Type Old Value New Value Removed Reference https://github.com/ejpir/CVE-2025-55182-poc -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 04, 2025
Action Type Old Value New Value Added Reference https://github.com/ejpir/CVE-2025-55182-poc Added Reference https://news.ycombinator.com/item?id=46136026 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 03, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/12/03/4 -
New CVE Received by [email protected]
Dec. 03, 2025
Action Type Old Value New Value Added Description A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Added Reference https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Added Reference https://www.facebook.com/security/advisories/cve-2025-55182