{"cve_id":"CVE-2025-55182","summary":"A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"epss":0.65077,"ranking_epss":0.98465,"kev":true,"propose_action":"Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.","ransomware_campaign":"Known","references":["https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components","https://www.facebook.com/security/advisories/cve-2025-55182","http://www.openwall.com/lists/oss-security/2025/12/03/4","https://news.ycombinator.com/item?id=46136026","https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"],"published_time":"2025-12-03T16:15:56","cpes":["cpe:2.3:a:facebook:react:19.0.0","cpe:2.3:a:facebook:react:19.1.0","cpe:2.3:a:facebook:react:19.1.1","cpe:2.3:a:facebook:react:19.2.0","cpe:2.3:a:vercel:next.js:14.3.0","cpe:2.3:a:vercel:next.js:15.0.0","cpe:2.3:a:vercel:next.js:15.0.1","cpe:2.3:a:vercel:next.js:15.0.2","cpe:2.3:a:vercel:next.js:15.0.3","cpe:2.3:a:vercel:next.js:15.0.4","cpe:2.3:a:vercel:next.js:15.1.0","cpe:2.3:a:vercel:next.js:15.1.1","cpe:2.3:a:vercel:next.js:15.1.2","cpe:2.3:a:vercel:next.js:15.1.3","cpe:2.3:a:vercel:next.js:15.1.4","cpe:2.3:a:vercel:next.js:15.1.5","cpe:2.3:a:vercel:next.js:15.1.6","cpe:2.3:a:vercel:next.js:15.1.7","cpe:2.3:a:vercel:next.js:15.1.8","cpe:2.3:a:vercel:next.js:15.2.0","cpe:2.3:a:vercel:next.js:15.2.1","cpe:2.3:a:vercel:next.js:15.2.2","cpe:2.3:a:vercel:next.js:15.2.3","cpe:2.3:a:vercel:next.js:15.2.4","cpe:2.3:a:vercel:next.js:15.2.5","cpe:2.3:a:vercel:next.js:15.3.0","cpe:2.3:a:vercel:next.js:15.3.1","cpe:2.3:a:vercel:next.js:15.3.2","cpe:2.3:a:vercel:next.js:15.3.3","cpe:2.3:a:vercel:next.js:15.3.4","cpe:2.3:a:vercel:next.js:15.3.5","cpe:2.3:a:vercel:next.js:15.4.0","cpe:2.3:a:vercel:next.js:15.4.1","cpe:2.3:a:vercel:next.js:15.4.2","cpe:2.3:a:vercel:next.js:15.4.3","cpe:2.3:a:vercel:next.js:15.4.4","cpe:2.3:a:vercel:next.js:15.4.5","cpe:2.3:a:vercel:next.js:15.4.6","cpe:2.3:a:vercel:next.js:15.4.7","cpe:2.3:a:vercel:next.js:15.5.0","cpe:2.3:a:vercel:next.js:15.5.1","cpe:2.3:a:vercel:next.js:15.5.2","cpe:2.3:a:vercel:next.js:15.5.3","cpe:2.3:a:vercel:next.js:15.5.4","cpe:2.3:a:vercel:next.js:15.5.5","cpe:2.3:a:vercel:next.js:15.5.6","cpe:2.3:a:vercel:next.js:15.6.0","cpe:2.3:a:vercel:next.js:16.0.0","cpe:2.3:a:vercel:next.js:16.0.1","cpe:2.3:a:vercel:next.js:16.0.2","cpe:2.3:a:vercel:next.js:16.0.3","cpe:2.3:a:vercel:next.js:16.0.4","cpe:2.3:a:vercel:next.js:16.0.5","cpe:2.3:a:vercel:next.js:16.0.6"]}