1. Home
  2. Vulnerabilities
  3. CVE-2025-55182
Known Exploited Vulnerability
10.0
CRITICAL CVSS 3.1
CVE-2025-55182
Meta React Server Components Remote Code Execution Vulnerability - [Actively Exploited]
Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

INFO

Published Date :

Dec. 3, 2025, 4:15 p.m.

Last Modified :

Dec. 6, 2025, 2 a.m.

Remotely Exploit :

No

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182

Affected Products

The following products are affected by CVE-2025-55182 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Vercel next.js
1 Facebook react
: Total Affected Vendor : 2 | Products : 2
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL 4fc57720-52fe-4431-a0fb-3d2c8747b827
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 CRITICAL MITRE-CVE
Solution
Update React Server Components to a patched version to fix unsafe deserialization.
  • Update React Server Components to a secure version.
  • Remove vulnerable packages like react-server-dom-parcel.
  • Apply security patches for affected packages.
  • Validate server function endpoint security.
Public PoC/Exploit Available at Github

CVE-2025-55182 has a 927 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-55182.

URL Resource
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Patch Vendor Advisory
https://www.facebook.com/security/advisories/cve-2025-55182 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/03/4 Mailing List Patch Third Party Advisory
https://news.ycombinator.com/item?id=46136026 Issue Tracking
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-55182 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-55182 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
BIG02-bot/React2Shell-CVE-2025-55182-An-lise-T-cnica

None

Updated: 6 hours, 13 minutes ago
0 stars 0 fork 0 watcher
Born at : Feb. 13, 2026, 12:22 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
ShabinSingh/POC

None

Updated: 1 day, 6 hours ago
0 stars 0 fork 0 watcher
Born at : Feb. 12, 2026, noon This repo has been linked 219 different CVEs too.
Profile Photo
snipevx/React2Shell-POC

React2Shell (CVE-2025-55182) POC

Python

Updated: 1 day, 11 hours ago
1 stars 0 fork 0 watcher
Born at : Feb. 12, 2026, 6:32 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
joshuacox/lynx

Interesting Links

Updated: 1 day, 4 hours ago
1 stars 0 fork 0 watcher
Born at : Feb. 11, 2026, 4:08 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
atiilla/CVE-2025-55182

RCE on Next 16.0.6

Updated: 3 days, 4 hours ago
0 stars 0 fork 0 watcher
Born at : Feb. 10, 2026, 1:55 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
f3csystems/BlockList_IP

None

Updated: 2 hours, 53 minutes ago
0 stars 0 fork 0 watcher
Born at : Feb. 10, 2026, 9:36 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
hursh-shah/codex-design-skill

UI-design skill package for Codex

Updated: 2 days ago
1 stars 0 fork 0 watcher
Born at : Feb. 10, 2026, 7:24 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
George0Papasotiriou/CVE-2025-55182-React2Shell-CVSS-10.0-

None

Python Shell

Updated: 3 days, 18 hours ago
1 stars 0 fork 0 watcher
Born at : Feb. 10, 2026, 12:19 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
BrianLopezM99/react2shell-CVE-2025-55182

An exploitation tool for the Next.js vulnerability CVE-2025-55182 that allows remote command execution through a poisoning prototype in React Server Components.

Python

Updated: 4 days, 12 hours ago
1 stars 0 fork 0 watcher
Born at : Feb. 9, 2026, 12:39 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
InteractiveDesignsStudio/InteractiveDesignsApp

None

Nix TypeScript JavaScript CSS

Updated: 4 days, 21 hours ago
0 stars 0 fork 0 watcher
Born at : Feb. 8, 2026, 9:27 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
shooterman250/Interactive-Designs-Studio

None

Nix TypeScript JavaScript CSS

Updated: 4 days, 20 hours ago
0 stars 0 fork 0 watcher
Born at : Feb. 8, 2026, 8:41 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
vanhoangkha/awesome-aws-security

None

Updated: 5 days, 1 hour ago
3 stars 0 fork 0 watcher
Born at : Feb. 8, 2026, 4:51 a.m. This repo has been linked 10 different CVEs too.
Profile Photo
delphsoft/wolfargy

None

TypeScript CSS Shell JavaScript

Updated: 6 days, 23 hours ago
0 stars 0 fork 0 watcher
Born at : Feb. 6, 2026, 6:53 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
dhpradeep/r2s

Learning Purpose only

Makefile Python JavaScript

Updated: 1 week ago
0 stars 0 fork 0 watcher
Born at : Feb. 6, 2026, 8:59 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
vinaes/xgraph

Xray-core Graph Builder with UI

Dockerfile JavaScript HTML TypeScript CSS

Updated: 1 week, 1 day ago
0 stars 0 fork 0 watcher
Born at : Feb. 5, 2026, 1:57 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-55182 vulnerability anywhere in the article.

  • Daily CyberSecurity
The Rise of Vibecoding: AI-Generated Malware Exploits React2Shell

A new class of cyberattack has been caught in the wild, one where the code isn’t written by a human hand, but generated entirely by artificial intelligence. Darktrace has released a report detailing a ... Read more

Published Date: Feb 12, 2026 (1 day, 18 hours ago)
  • CybersecurityNews
ILOVEPOOP Toolkit Exploiting React2Shell Vulnerability to Deploy Malicious Payload

The cybersecurity sector has been impacted by the sudden appearance of “React2Shell” (CVE-2025-55182), a critical vulnerability affecting Next.js and React Server Components. Following its public disc ... Read more

Published Date: Feb 10, 2026 (3 days, 3 hours ago)
  • The Hacker News
TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure

Cybersecurity researchers have called attention to a "massive campaign" that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation. The ac ... Read more

Published Date: Feb 09, 2026 (4 days, 10 hours ago)
  • Hackread - Cybersecurity News, Data Breaches, AI and More
17% of 3rd-Party Add-Ons for OpenClaw Used in Crypto Theft and macOS Malware

Bitdefender Labs reveals that 17% of OpenClaw AI skills analyzed in February 2026 are malicious. With over 160,000 stars on GitHub, OpenClaw is being exploited to steal crypto keys and install macOS m ... Read more

Published Date: Feb 06, 2026 (1 week ago)
  • The Hacker News
Hackers Exploit React2Shell to Hijack Web Traffic via Compromised NGINX Servers

Cybersecurity researchers have disclosed details of an active web traffic hijacking campaign that has targeted NGINX installations and management panels like Baota (BT) in an attempt to route it throu ... Read more

Published Date: Feb 05, 2026 (1 week, 1 day ago)
  • CybersecurityNews
Chrome Vulnerabilities Let Attackers Execute Arbitrary Code and Crash System

Chrome Vulnerabilities Arbitrary Code Google has released a critical security update for the Chrome Stable channel, addressing two high-severity vulnerabilities that expose users to potential arbitrar ... Read more

Published Date: Feb 04, 2026 (1 week, 2 days ago)
  • Daily CyberSecurity
Silent Intrusion: “Metro4Shell” Exploited in the Wild Since December

Image: VulCheck A new report from VulnCheck reveals that CVE-2025-11953, a critical flaw in the Metro development server dubbed “Metro4Shell,” was being actively weaponized in the wild as early as lat ... Read more

Published Date: Feb 04, 2026 (1 week, 2 days ago)
  • Daily CyberSecurity
Urgent Django Update: Patches 3 Critical SQL Injections & DoS Risks

The maintainers of the popular Python web framework Django have issued an urgent security release to squash a cluster of high-severity vulnerabilities that could allow attackers to manipulate database ... Read more

Published Date: Feb 04, 2026 (1 week, 2 days ago)
  • Daily CyberSecurity
React Under Siege: Two IPs Drive 56% of Critical CVE-2025-55182 Attacks

Two months after the disclosure of a catastrophic vulnerability in React Server Components, the attack landscape has shifted from chaotic experimentation to concentrated, industrial-scale exploitation ... Read more

Published Date: Feb 04, 2026 (1 week, 2 days ago)
  • Daily CyberSecurity
Chrome 144 Security Alert: V8 & Libvpx Flaws Expose Systems to Hacks

The Stable channel for desktop users has just received a crucial security update, patching two high-severity vulnerabilities that could leave systems exposed to exploitation. The release bumps the ver ... Read more

Published Date: Feb 04, 2026 (1 week, 2 days ago)
  • CybersecurityNews
Hackers Exploiting React Server Components Vulnerability in the Wild to Deploy Malicious Payloads

React Server Vulnerability Exploited Two months following the disclosure of CVE-2025-55182, exploitation activity targeting React Server Components has evolved from broad scanning into consolidated, h ... Read more

Published Date: Feb 04, 2026 (1 week, 2 days ago)
  • Daily CyberSecurity
Rooted via Wi-Fi 7: TP-Link Patches Command Injection in Archer BE230

A new security advisory from TP-Link has disclosed multiple authenticated command injection vulnerabilities affecting its Archer BE230 Wi-Fi 7 router, specifically version 1.2.The vulnerabilities, tra ... Read more

Published Date: Feb 04, 2026 (1 week, 2 days ago)
  • The Cyber Express
IPIDEA Proxy Network Dismantled: Global Cybercrime and Botnet Risks Exposed

Researchers have found what they believe is one of the world’s largest residential proxy networks: the IPIDEA proxy operation. The action targeted a little-known but deeply embedded component of the o ... Read more

Published Date: Feb 03, 2026 (1 week, 3 days ago)
  • The Hacker News
ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories

This week's updates show how small changes can create real problems. Not loud incidents, but quiet shifts that are easy to miss until they add up. The kind that affects systems people rely on every da ... Read more

Published Date: Jan 29, 2026 (2 weeks, 1 day ago)
  • The Cyber Express
Nation-State Hackers, Cybercriminals Weaponize Patched WinRAR Flaw Despite Six-Month-Old Fix

Russian and Chinese espionage groups continue to exploit an N-day vulnerability (CVE-2025-8088) in WinRAR alongside financially motivated actors, all leveraging a path traversal vulnerability that dro ... Read more

Published Date: Jan 29, 2026 (2 weeks, 1 day ago)
  • The Cyber Express
Malicious Open Source Software Packages Neared 500,000 in 2025

Malicious open source software packages have become a critical problem threatening the software supply chain. That’s one of the major takeaways of a new report titled “State of the Software Supply Cha ... Read more

Published Date: Jan 28, 2026 (2 weeks, 1 day ago)
  • The Cyber Express
Hackers Exploit React2Shell Vulnerability to Deploy Miners and Botnets Worldwide

Threat actors have been actively exploiting a critical vulnerability in React Server Components, tracked as CVE-2025-55182 and commonly referred to as React2Shell, to compromise systems across multipl ... Read more

Published Date: Jan 28, 2026 (2 weeks, 2 days ago)
  • CybersecurityNews
Attackers Exploiting React2Shell Vulnerability to Attack IT Sectors

Threat actors have started targeting companies in the insurance, e-commerce, and IT sectors through a critical vulnerability tracked as CVE-2025-55182, commonly known as React2Shell. This flaw exists ... Read more

Published Date: Jan 27, 2026 (2 weeks, 3 days ago)
  • CybersecurityNews
MEDUSA Security Testing Tool With 74 Scanners and 180+ AI Agent Security Rules

MEDUSA, an AI-first Static Application Security Testing (SAST) tool boasting 74 specialized scanners and over 180 AI agent security rules. This open-source CLI scanner targets modern development chall ... Read more

Published Date: Jan 27, 2026 (2 weeks, 3 days ago)
  • Google Cloud
Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088

Introduction The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability CVE-2025-8088 in WinRAR, a popular file archiver tool for Windows, ... Read more

Published Date: Jan 27, 2026 (2 weeks, 3 days ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-55182 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Dec. 06, 2025

    Action Type Old Value New Value
    Added Date Added 2025-12-05
    Added Due Date 2025-12-26
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name Meta React Server Components Remote Code Execution Vulnerability
  • Initial Analysis by [email protected]

    Dec. 05, 2025

    Action Type Old Value New Value
    Added CWE CWE-502
    Added CPE Configuration OR *cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*
    Added CPE Configuration OR *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.0.0 up to (excluding) 15.0.5 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.1.0 up to (excluding) 15.1.9 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.2.0 up to (excluding) 15.2.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.3.0 up to (excluding) 15.3.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.4.0 up to (excluding) 15.4.8 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.5.0 up to (excluding) 15.5.7 *cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 16.0.0 up to (excluding) 16.0.7 *cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*
    Added Reference Type Facebook, Inc.: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Types: Patch, Vendor Advisory
    Added Reference Type Facebook, Inc.: https://www.facebook.com/security/advisories/cve-2025-55182 Types: Vendor Advisory
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 Types: US Government Resource
    Added Reference Type CISA-ADP: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Types: Third Party Advisory
    Added Reference Type CVE: https://news.ycombinator.com/item?id=46136026 Types: Issue Tracking
    Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2025/12/03/4 Types: Mailing List, Patch, Third Party Advisory
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Dec. 05, 2025

    Action Type Old Value New Value
    Added Reference https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 04, 2025

    Action Type Old Value New Value
    Removed Reference https://github.com/ejpir/CVE-2025-55182-poc
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 04, 2025

    Action Type Old Value New Value
    Added Reference https://github.com/ejpir/CVE-2025-55182-poc
    Added Reference https://news.ycombinator.com/item?id=46136026
  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Dec. 03, 2025

    Action Type Old Value New Value
    Added Reference http://www.openwall.com/lists/oss-security/2025/12/03/4
  • New CVE Received by [email protected]

    Dec. 03, 2025

    Action Type Old Value New Value
    Added Description A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    Added Reference https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
    Added Reference https://www.facebook.com/security/advisories/cve-2025-55182
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 10
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact