NVD - CVE-2025-55182 (original) (raw)
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
CNA: Facebook, Inc.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
This CVE is in CISA's Known Exploited Vulnerabilities Catalog
Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.
| Vulnerability Name | Date Added | Due Date | Required Action |
|---|---|---|---|
| Meta React Server Components Remote Code Execution Vulnerability | 12/05/2025 | 12/12/2025 | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-502 | Deserialization of Untrusted Data | NIST |
Known Affected Software Configurations Switch to CPE 2.2
Change History
8 change records found show changes
CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 12/09/2025 9:00:02 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Changed | Due Date | 2025-12-26 | 2025-12-12 |
CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 12/05/2025 9:00:02 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Date Added | 2025-12-05 | |
| Added | Due Date | 2025-12-26 | |
| Added | Required Action | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | |
| Added | Vulnerability Name | Meta React Server Components Remote Code Execution Vulnerability |
Initial Analysis by NIST 12/05/2025 12:44:58 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CWE | CWE-502 | |
| Added | CPE Configuration | OR *cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:* | |
| Added | CPE Configuration | Record truncated, showing 2048 of 5761 characters. View Entire Change Record OR *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.0.0 up to (excluding) 15.0.5 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.1.0 up to (excluding) 15.1.9 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.2.0 up to (excluding) 15.2.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.3.0 up to (excluding) 15.3.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.4.0 up to (excluding) 15.4.8 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.5.0 up to (excluding) 15.5.7 *cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 16.0.0 up to (excluding) 16.0.7 *cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary23: | |
| Added | Reference Type | CISA-ADP: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Types: Third Party Advisory | |
| Added | Reference Type | CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-55182 Types: US Government Resource | |
| Added | Reference Type | CVE: http://www.openwall.com/lists/oss-security/2025/12/03/4 Types: Mailing List, Patch, Third Party Advisory | |
| Added | Reference Type | CVE: https://news.ycombinator.com/item?id=46136026 Types: Issue Tracking | |
| Added | Reference Type | Facebook, Inc.: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Types: Patch, Vendor Advisory | |
| Added | Reference Type | Facebook, Inc.: https://www.facebook.com/security/advisories/cve-2025-55182 Types: Vendor Advisory |
CVE Modified by CISA-ADP 12/05/2025 10:15:51 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ | |
| Added | Reference | https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-55182 |
CVE Modified by CVE 12/04/2025 1:15:50 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Removed | Reference | https://github.com/ejpir/CVE-2025-55182-poc |
CVE Modified by CVE 12/03/2025 8:16:04 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://github.com/ejpir/CVE-2025-55182-poc | |
| Added | Reference | https://news.ycombinator.com/item?id=46136026 |
CVE Modified by CVE 12/03/2025 4:15:52 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | http://www.openwall.com/lists/oss-security/2025/12/03/4 |
New CVE Received from Facebook, Inc. 12/03/2025 11:15:56 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. | |
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | |
| Added | Reference | https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components | |
| Added | Reference | https://www.facebook.com/security/advisories/cve-2025-55182 |