CVE-2025-55182

Published Dec 3, 2025

Last updated 18 hours ago

CVSS critical 10.0
React
react2shell

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability found in React Server Components (RSC) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. This vulnerability affects packages including `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`. The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution. Exploitation requires only a crafted HTTP request. Patches are available for React and Next.js. It is recommended to upgrade to patched React versions such as 19.0.1, 19.1.2, or 19.2.1, and to update frameworks like Next.js to their corresponding patched versions.

Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Source
cve-assign@fb.com
NVD status
Awaiting Analysis

Insights

Analysis from the Intruder Security Team
Published Dec 4, 2025 Updated Dec 4, 2025

This vulnerability allows for code execution via a deserialisation vulnerability within the react-server-dom packages. This will affect React, NextJS and downstream projects who utilise these frameworks.

We have identified a large number of false or fake proof-of-concepts online which has driven a bit of misinformation regarding this vulnerability, as confirmed on the original researcher's site. We have also witnessed exploitation activity for this vulnerability as researchers and threat actors reverse engineer the patches to find a working exploit.

AssetNote have released a technical research post overnight which outlines the vulnerability and a method of detecting its presence.

Risk scores

CVSS 3.1

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

100

  1. 📌 React Güvenlik Açığı: CVE-2025-55182 React içinde kritik bir güvenlik açığı ortaya çıktı. Bu açık, saldırganların canlı sistemlere saldırmak için kullanabileceği tehlikeli bir zafiyet. https://t.co/P62MYFcqG8

    @KamCyberTR

    5 Dec 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 📌 تم استغلال ثغرة React2Shell (CVE-2025-55182) من قِبَل مجموعة من المهاجمين المرتبطين بالصين، وذلك بعد بضع ساعات من إعلان مستوى الخطورة العالي للثغرة التي تؤثر على Rea

    @Cybercachear

    5 Dec 2025

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. React漏洞CVE-2025-55182这两天闹的沸沸扬扬的,尤其是Dify目前看来受影响最严重,不排除有的项目方已经被黑客攻陷了。 所以钱包里面存了大量钱的最近减少交互吧,这个漏洞只是刚刚开始,再经过几天的深度挖掘

    @pl_wanfeng

    5 Dec 2025

    1370 Impressions

    0 Retweets

    31 Likes

    0 Bookmarks

    32 Replies

    0 Quotes

  4. Super heavy activity going on with CVE-2025-55182 / React2Shell with interesting payloads dropping in @DefusedCyber https://t.co/WONaBxKmSr

    @SimoKohonen

    5 Dec 2025

    872 Impressions

    2 Retweets

    11 Likes

    3 Bookmarks

    0 Replies

    1 Quote

  5. ⚠️ Vulnérabilité React Server Components Le @CERT_FR a publié une alerte de sécurité relative à la vulnérabilité CVE-2025-55182 affectant React Server Components. ➡ Informations et recommandations sur le site du CERT-FR : https://t.co/m38hmO34Pr https://t.co/Xp9D8

    @ANSSI_FR

    5 Dec 2025

    299 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. On Dec 3, 2025, the React team announced a critical RCE flaw in React Server Components CVE-2025-55182, also known as React2Shell. A major security wake-up call for developers. Read this 👇 https://t.co/Tarlv2igw7 https://t.co/0I5xaOQ61o

    @HasoTechnology

    5 Dec 2025

    77 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Man ! what a FRIDAY !! 🤣 - #Cloudflare Outage (Down) - #React2Shell (CVE-2025-55182) #Happy_Friday https://t.co/yyuvdewir7

    @0xH0k4

    5 Dec 2025

    69 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 【緊急】React Server Componentsに深刻な脆弱性(CVE-2025-55182)。今朝対応した記録と、安全なアップグレード手順【Next.js / Bun対応】 https://t.co/cy9JqsYmP3 #Qiitaアドカレ #Qiita @PythonHaruより

    @PythonHaru

    5 Dec 2025

    109 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Next.js/React 刚爆了一个 10.0 满分漏洞。 CVE-2025-55182,代号"React2shell"。 未认证的远程代码执行,39% 的云环境中招。 如果你在用 Next.js 15-16 的 App Router,现在就该停下手上的活去升级。 https://t.co/hxBizdDVXh

    @PennyJoly

    5 Dec 2025

    332 Impressions

    0 Retweets

    0 Likes

    2 Bookmarks

    0 Replies

    1 Quote

  10. China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182) https://t.co/DrGCjrY6b4 via @awscloud https://t.co/i6bjHNql0h

    @NexusFireX

    5 Dec 2025

    284 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. #CVE-2025-55182 #bugbounty https://t.co/t4Xc9BvgGO

    @julixsalas

    5 Dec 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 빨리 패치 하시우~~ 지금 ‘React2Shell(리액트투쉘)’이라는 이름 하나로 술렁이고 있다. CVSS 10.0 등급이 부여된 신규 취약점 CVE-2025-55182가 공개되면서 전 세계 개발자와 보안전문가들은 “2025년판 Log4Shell”이라는

    @ngnicky

    5 Dec 2025

    88 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. CyberNewsFlash React Server Componentsの脆弱性(CVE-2025-55182)について - 一般社団法人 JPCERT コーディネーションセンター(JPCERT/CC) https://t.co/D0OcxcpiTf

    @kawn2020

    5 Dec 2025

    137 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. #CVE-2025-55182: RSC RCE — It functions as an in-memory webshell backdoor, offering a significantly more covert foothold. Please verify this again on your own endpoint. https://t.co/aOic5sCu94

    @pyn3rd

    5 Dec 2025

    11365 Impressions

    23 Retweets

    202 Likes

    112 Bookmarks

    2 Replies

    1 Quote

  15. #CVE-2025-55182: RSC RCE — It operates as an in-memory webshell backdoor, providing a much more covert foothold. Please verify this on your own endpoint again. https://t.co/QdZ5IT0Z6i

    @pyn3rd

    5 Dec 2025

    50 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🔒Security Update React has disclosed a critical vulnerability (CVE-2025-55182) affecting React Server Components. Dify SaaS is not affected, and we have upgraded React to the patched version 19.2.1 to ensure continued security. Self-hosted users are encouraged to update to

    @dify_ai

    5 Dec 2025

    1402 Impressions

    3 Retweets

    6 Likes

    2 Bookmarks

    0 Replies

    2 Quotes

  17. #CVE-2025-55182: Memory Shell https://t.co/9Rg7bSQB2J

    @q810034

    5 Dec 2025

    234 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 已成功复现 CVE-2025-55182 教育资产影响比较广,估计这几天应该会慢慢修复。 再复现的时候,链子里面还有2种思路,还不错,学到了 #CVE_2025_55182 https://t.co/ajAxXAkOT2

    @Master_HanChan

    5 Dec 2025

    10634 Impressions

    8 Retweets

    113 Likes

    84 Bookmarks

    5 Replies

    0 Quotes

  19. cve-2025-55182 and memshell of course talk about weaponization https://t.co/4G6tL9xm9Y

    @K_MnO4_

    5 Dec 2025

    2717 Impressions

    2 Retweets

    49 Likes

    8 Bookmarks

    4 Replies

    0 Quotes

  20. Critical React/Next.js RCE Exploit (CVE-2025-55182) Now Public. Patch NOW. Read the full report on - https://t.co/ZqUlknfCjh https://t.co/LkQ4Nvku2E

    @Iambivash007

    5 Dec 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. #CVE-2025-55182 VSHELL http://68.64.176.19:2082/ https://t.co/Ov7aJiK0z2

    @cxaqhq

    5 Dec 2025

    234 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🔒 Critical Patch Required: Zero-Day Vulnerability CVE-2025-55182 Actively Exploited in Enterprise Software https://t.co/z4qV0UnBx3 https://t.co/WlZOilMMVK

    @latestsummaries

    5 Dec 2025

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. React 这个漏洞被严重误判了啊! 对 AI 和 Crypto 影响很大! 你的私钥也可能被盗! 黑客只需一个http请求,就可以传入内存马,控制服务器 早上有人找了个小日子的 Dify 主机进行了漏洞复现,直接打通了 dnslog,

    @SecPoX

    5 Dec 2025

    963 Impressions

    0 Retweets

    4 Likes

    1 Bookmark

    0 Replies

    1 Quote

  24. This is an improved version of the exploit script for CVE-2025-55182 React Server Components Remote Code Execution vulnerability (Fixed Multipart Version). https://t.co/tQ4MxMJbuR https://t.co/VWPlWI8ksY

    @Redceller

    5 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. CyberNewsFlash「React Server Componentsの脆弱性(CVE-2025-55182)について」を公開。本脆弱性が悪用されているとの情報および有効な概念実証(PoC)コードの公開を確認しています。開発者が公開する情報を確認の上、

    @jpcert

    5 Dec 2025

    12856 Impressions

    12 Retweets

    32 Likes

    10 Bookmarks

    0 Replies

    1 Quote

  26. #CVE-2025-55182: RSC RCE — Full Unicode encoding can bypass certain WAFs that lack proper decoding or normalization capabilities. Please verify this on your end. https://t.co/70Ovx7lu5g

    @pyn3rd

    5 Dec 2025

    20825 Impressions

    30 Retweets

    246 Likes

    137 Bookmarks

    3 Replies

    2 Quotes

  27. 刚验证了 Next.js 的最新 RCE 漏洞 (CVE-2025-55182)。如果你正在使用 Docker 自托管 Dify、NextChat、LobeChat 等 AI 应用,你的服务器可能正处于裸奔状态。 攻击者可以通过一个 HTTP 请求直接获取服务器权限(如图)。建议立

    @Deep_333333

    5 Dec 2025

    294 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  28. CVE-2025-55182这个漏洞,公网可以直接打,已经成功了,成功率不低!👿 ​真正利用场景下,是没有回显结果的,直接RCE就行了😎 目前测试来看还能打Dify😱 https://t.co/KV6j8vLOAj

    @AabyssZG

    5 Dec 2025

    46402 Impressions

    19 Retweets

    226 Likes

    170 Bookmarks

    11 Replies

    0 Quotes

  29. Amazon exposed Chinese APTs exploiting the React2Shell zero-day (CVE-2025-55182, CVSS 10.0) hours after disclosure. Earth Lamia and Jackpot Panda are actively targeting unpatched Next.js servers for reconnaissance. #React2Shell #ZeroDay #Cyberespionage https://t.co/kvHsrWZQQw

    @the_yellow_fall

    5 Dec 2025

    44 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  30. Qué interesante: China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182) https://t.co/g3L4rpxzrm https://t.co/qnieOdlc7g

    @AutomatismCloud

    5 Dec 2025

    168 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Critical RSC Vulnerability in React & Next.js Enables Unauthenticated Remote Code Execution A maximum-severity flaw was disclosed in React Server Components (RSC). Tracked as CVE-2025-55182, the vulnerability allows attackers to achieve RCE without authentication (CVSS 10.0)

    @Gh0xE9

    5 Dec 2025

    198 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  32. 🚨 Your React app just became a prime target. CVE-2025-55182: CVSS 10.0 React 19.x + Next.js 15-16 Remote Code Execution Unauthenticated But there's a superhero in this story... 🦸 🧵 (1/7) https://t.co/oqBnythNYQ https://t.co/Vv1x9mujfB

    @nxtgen579255

    5 Dec 2025

    217 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. “Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda.” Attack of the state spons

    @gothburz

    5 Dec 2025

    9669 Impressions

    16 Retweets

    93 Likes

    44 Bookmarks

    5 Replies

    1 Quote

  34. 🚨 Critical vulnerabilities (CVE-2025-55182, CVE-2025-66478) uncovered in React Server Components & Next.js! Threat actors could gain unauthorized data access & more. Developers, assess your systems ASAP! #React #Nextjs https://t.co/lqOVGnC4YI

    @xcybersecnews

    5 Dec 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182): Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts… https://t.co/yNGRuVfjbV

    @TheCloudSensei

    5 Dec 2025

    186 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. Quick breakdown of CVE-2025-55182 for devs: What: RCE in React Server Components How: Malicious HTTP request → code execution on server Who: React 19, Next.js 15-16 with App Router Fix in 30 seconds: npx @neurolint/cli security:cve-2025-55182 . --fix

    @just_clive_sa

    5 Dec 2025

    174 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  37. React2Shell CVE-2025-55182, CVE-2025-66478 RCE実行可能になるなかなかエグい脆弱性だ。 偽のPoCが出回ってるそうなので注意。 https://t.co/oakAyf018D

    @tomtwinklestar

    4 Dec 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. POC for CVE-2025-55182 , 100% working real. Good luck and fix ASAP. https://t.co/qDTuoOE1ja

    @Chirag99Artani

    4 Dec 2025

    797 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  39. Remote Code Execution Vulnerability in React and Next.js Frameworks: December 2025: On December 3, 2025, the React team released a security advisory regarding a vulnerability, CVE-2025-55182, in the React server that could allow an… https://t.co/Uv1j3eYXgU #Cisco #Cybersecurit

    @PoseidonTPA

    4 Dec 2025

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. CVE-2025-55182 poc is out https://t.co/1jNi6R948H https://t.co/wXgW4TTGF5

    @h4x0r_dz

    4 Dec 2025

    20100 Impressions

    20 Retweets

    177 Likes

    86 Bookmarks

    2 Replies

    2 Quotes

  41. 🚨 Critical React2Shell vulnerability (CVE-2025-55182) enables unauthenticated remote code execution in React and Next.js. #React2Shell #vulnerability #SecurityAlert 📢 Affects 40% of cloud infrastructure. Update immediately! https://t.co/92x4MGym64 https://t.co/7qyU2PDO

    @gridinsoft

    4 Dec 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. A POC for CVE-2025-55182 https://t.co/BcyJ1UbivA https://t.co/f5QoVsBbLE

    @maple3142

    4 Dec 2025

    208552 Impressions

    278 Retweets

    1260 Likes

    762 Bookmarks

    22 Replies

    46 Quotes

  43. (app="Next.js" && body="/_next/static/chunks/app/") && body="formaction" This is the fingerprint for CVE-2025-55182.

    @h1d9eh09_sec

    4 Dec 2025

    1096 Impressions

    2 Retweets

    9 Likes

    4 Bookmarks

    1 Reply

    0 Quotes

  44. We review two vulnerabilities affecting React (CVE-2025-55182) and Next.js (CVE-2025-66478), both with a CVSS score of 10.0. These vulns, in the React Server Components (RSC) Flight protocol, allow unauthenticated attackers to execute arbitrary code. https://t.co/JfOS15kpkC https

    @Unit42_Intel

    4 Dec 2025

    7639 Impressions

    28 Retweets

    72 Likes

    27 Bookmarks

    0 Replies

    1 Quote

  45. This is the most reliable public detection (at this time) to indicate whether a machine is actually exploitable to CVE-2025-55182 / React2Shell without invoking the RCE and limited FP's. it triggers an internal error and validates the vulnerable version https://t.co/YKiNeY7swX

    @galnagli

    4 Dec 2025

    17104 Impressions

    54 Retweets

    243 Likes

    154 Bookmarks

    2 Replies

    0 Quotes

  46. It is interesting to see that none of us were able to create a poc for the recent React RCE bug CVE-2025-55182 . even with the patched code available on https://t.co/5EITVrS1bU What you have found Lachlan Davidson !!!

    @h4x0r_dz

    4 Dec 2025

    3731 Impressions

    1 Retweet

    39 Likes

    12 Bookmarks

    1 Reply

    0 Quotes

  47. During all the chaos around CVE-2025-55182, we analyzed the React patch in detail at Kalir. The first behavior we investigated (Array.isArray on bound args) is a real and exploitable bug, but it’s not the main mechanism behind the CVE. Here’s my full research, including what

    @kalirsec

    4 Dec 2025

    38 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  48. Durante el caos que generó CVE-2025-55182, desde Kalir analizamos en detalle el parche de React. El primer comportamiento que investigamos (Array.isArray en bound args) es un bug real y explotable, pero no es el mecanismo principal del CVE. Acá dejo mi investigación completa,

    @kalirsec

    4 Dec 2025

    119 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. چند روز پیش برای ReactJS و Next.js آسیب پذیری با کد شناسایی CVE-2025-55182 منتشر شده بود ، به تازگی ابزار اسکن و شناسایی این آسیب پذیری به زبان پایتون منتشر شده است. نام ا

    @EthicalSafe

    4 Dec 2025

    107 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 🚨 CVE-2025-55182 - critical 🚨 React Server Components - Remote Code Execution > React Server Components 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including react-server-dom... 👾 https://t.co/Bc266HeswO @pdnuclei #NucleiTemplates #cve

    @pdnuclei_bot

    4 Dec 2025

    287 Impressions

    2 Retweets

    2 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.