CVE-2025-55182

Published Dec 3, 2025
Last updated 5 months ago
Exploit known CVSS critical 10.0
npm
React
react2shell
Supply chain
Business logic
Cloud
Overview

Description: A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Source: cve-assign@fb.com
NVD status: Analyzed
Products: react, next.js
Risk scores

CVSS 3.1

Type: Secondary
Base score: 10
Impact score: 6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL
Known exploits

Data from CISA
Vulnerability name: Meta React Server Components Remote Code Execution Vulnerability
Exploit added on: Dec 5, 2025
Exploit action due: Dec 26, 2025
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Weaknesses

nvd@nist.gov: CWE-502
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
Hype score: 29
Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "C66E1B0F-8C3F-4D27-9F46-B6EC78D8C60B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "C6C1C3E2-542D-4001-BFA9-6CF5A038971D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "A0907E1C-E2D2-44A4-AA46-CE80BCA4E015",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "0030B5E1-E79E-4C48-B500-91747FE2751D",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "FC2BCD83-CC87-4CDC-AD9B-2055912A8463",
            "versionEndExcluding": "15.0.5",
            "versionStartIncluding": "15.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "C5E767D4-E46F-4CA6-A22F-4D0671B9B102",
            "versionEndExcluding": "15.1.9",
            "versionStartIncluding": "15.1.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "5EFB6CB7-4A4F-464A-A1D8-62B50DF0B4BA",
            "versionEndExcluding": "15.2.6",
            "versionStartIncluding": "15.2.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "83AF54D7-410D-42B4-853A-8A1973636542",
            "versionEndExcluding": "15.3.6",
            "versionStartIncluding": "15.3.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "3D666EA7-BDAE-4E67-A331-B7403C3AA482",
            "versionEndExcluding": "15.4.8",
            "versionStartIncluding": "15.4.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "E666ECDA-7A29-4D3D-AC40-357F044AD595",
            "versionEndExcluding": "15.5.7",
            "versionStartIncluding": "15.5.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "CF65554E-4BF0-4344-AE7F-9E09E34E084F",
            "versionEndExcluding": "16.0.7",
            "versionStartIncluding": "16.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*",
            "matchCriteriaId": "B209A306-CE1A-448D-8653-7627302399B7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*",
            "matchCriteriaId": "D1DCAC23-7ED0-456B-8AE2-57689199F708",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*",
            "matchCriteriaId": "8B35D612-AC2A-4697-934F-372E4D5EE3F4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*",
            "matchCriteriaId": "A06D2291-5D89-4B76-99E0-52505634A63B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*",
            "matchCriteriaId": "8F01F07A-79F7-4F4B-8E3A-9C7D93C83A63",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*",
            "matchCriteriaId": "9EDA2864-F94B-48EB-98F3-FDBFCECCC4A8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*",
            "matchCriteriaId": "4828BEE0-E891-491B-903D-A50B0E37273C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*",
            "matchCriteriaId": "55723BB4-E62B-4034-A434-485FE0E6BAF5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*",
            "matchCriteriaId": "19F55784-CC11-4024-9A42-EFEEF7B2366F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*",
            "matchCriteriaId": "1D694B0A-9BCF-49C8-A787-B0AFE51C7DC5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*",
            "matchCriteriaId": "C91F9508-E18D-4928-9DF5-DE2DDBEC56D3",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*",
            "matchCriteriaId": "3ED7F693-8012-4F88-BC71-CF108E20664A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*",
            "matchCriteriaId": "40EE98AC-754A-4FD9-B51A-9E2674584FD9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*",
            "matchCriteriaId": "13B41C54-AF21-4637-A852-F997635B4E83",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*",
            "matchCriteriaId": "91B41697-2D70-488D-A5C3-CB9D435560CA",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*",
            "matchCriteriaId": "7D43DB84-7BCF-429B-849A-7189EC1922D0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*",
            "matchCriteriaId": "CEC2346B-8DBD-4D53-9866-CFBDD3AACEF2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*",
            "matchCriteriaId": "2BC95097-8CA6-42FE-98D7-F968E37C11B7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*",
            "matchCriteriaId": "4F8FA85C-1200-4FD2-B5D7-906300748BD4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*",
            "matchCriteriaId": "5D0B177B-2A31-48E9-81C7-1024E2452486",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*",
            "matchCriteriaId": "7CCA01F3-3A14-4450-8A68-B1DA22C685B7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*",
            "matchCriteriaId": "1AB351AE-8C29-4E67-8699-0AAC6B3383E2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*",
            "matchCriteriaId": "14A34D9D-5FA2-434B-836E-3CE63D716CCB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*",
            "matchCriteriaId": "E8440F05-F32B-4D40-90B7-04BF22107D86",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*",
            "matchCriteriaId": "FB6C6F6D-1EC0-4BD9-97A4-CFDE70DF0C43",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*",
            "matchCriteriaId": "6189BD4C-A3E2-451B-96B2-FF01250E946D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*",
            "matchCriteriaId": "389EE453-8B07-45DD-BE9C-277C9C5CB156",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*",
            "matchCriteriaId": "BA4D4638-4734-4B16-87AA-EF4B5D2DDD7A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*",
            "matchCriteriaId": "D54A2E63-6E0C-4E17-86A8-459B0A7EE00B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*",
            "matchCriteriaId": "E6136F0A-3010-4BAD-811B-D047CF5E6F64",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*",
            "matchCriteriaId": "525EFA40-B14B-47E9-8FBD-45721A802DB6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*",
            "matchCriteriaId": "69142944-1EC0-4F94-862E-FA7F2E101101",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*",
            "matchCriteriaId": "30016C06-372D-4F98-84A8-0732CA054970",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*",
            "matchCriteriaId": "E1536E2B-84EC-46A3-9B6F-026364A9D927",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*",
            "matchCriteriaId": "5E6F1F60-30E2-407C-8152-EEEB7EFE24CB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*",
            "matchCriteriaId": "3C907301-2C8F-465B-8134-94130E29F5DB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*",
            "matchCriteriaId": "E81C89FD-40CB-471E-9967-90ACDCF79373",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*",
            "matchCriteriaId": "55E8AEEC-A686-49D6-B298-AEE4E838E769",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*",
            "matchCriteriaId": "CB0618EC-6A0B-4AC3-BF6D-E51AC84C4E15",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*",
            "matchCriteriaId": "7B27F133-8EB4-4761-A706-DF42D4EB55F6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*",
            "matchCriteriaId": "BF975472-B7E7-4AC8-B834-DA19897A4894",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*",
            "matchCriteriaId": "48A82613-F3FD-4E89-8E4A-F3F05A616171",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*",
            "matchCriteriaId": "0D42CA1F-7C21-47C1-8A9C-1015286FCBE2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*",
            "matchCriteriaId": "7C83A4EF-B96F-40EC-BA1F-FE1370AF78AC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*",
            "matchCriteriaId": "C151FDAB-DE34-4A7E-9762-6E99386798BF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*",
            "matchCriteriaId": "53025212-05F0-41FE-81F8-023B1784BB8C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*",
            "matchCriteriaId": "68EAC2B9-32A5-4721-BB35-16D519CD1BBC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*",
            "matchCriteriaId": "7411EF71-CBEB-4127-935F-3C732A1E22AC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*",
            "matchCriteriaId": "0C4B8930-1B65-4894-AFA8-C323AA7A8292",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*",
            "matchCriteriaId": "B4977345-BD8C-41C7-9DD7-1E41D6CC6438",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*",
            "matchCriteriaId": "EFE030A4-5B14-4C2D-B953-E80C98FB26EE",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*",
            "matchCriteriaId": "9F616FD4-83BF-4A9A-AFFD-0D3E2544DC7E",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*",
            "matchCriteriaId": "00512630-8B88-43B0-9ED3-2B33C64CC9A9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*",
            "matchCriteriaId": "A88EEF11-C7DA-4E2D-A030-FC177E696557",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*",
            "matchCriteriaId": "BE8453D9-7275-4A5F-8732-F05662FFF2E8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*",
            "matchCriteriaId": "E306B896-9BBB-424B-8D99-7A1A79AEFE9D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*",
            "matchCriteriaId": "ACA87B86-33D5-4BEA-A13D-EEB4922D511E",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*",
            "matchCriteriaId": "77AA0D23-B101-445C-A260-ED3152A93D17",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*",
            "matchCriteriaId": "7D7DCCF7-FC83-4767-A0C2-C84A8B14F93B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*",
            "matchCriteriaId": "FD397568-7F1F-4153-AF08-B22D4D3B45F9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*",
            "matchCriteriaId": "984416EF-B121-40CE-B3AD-E22A06BB5844",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*",
            "matchCriteriaId": "C4B58652-EE24-43CF-8ABE-4A01B2C9938C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*",
            "matchCriteriaId": "8090CF73-AEA7-43FC-A960-321BED3B1682",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*",
            "matchCriteriaId": "823164E5-609D-4F24-86A5-E25618FE86A7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*",
            "matchCriteriaId": "E13CD688-63C3-4FFA-9D13-696005F0C155",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*",
            "matchCriteriaId": "B397B18C-8A7A-4766-9A68-98B26E190A4A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*",
            "matchCriteriaId": "2DB345E3-BAD0-497E-93AE-5E4DC669C192",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*",
            "matchCriteriaId": "840FEB19-2C66-4004-A488-B90219F8AC05",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*",
            "matchCriteriaId": "C260F966-73D7-43F3-A329-8C558A695821",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:*",
            "matchCriteriaId": "28130A79-39B5-43E8-A690-C8E9C62483F8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:*",
            "matchCriteriaId": "5E8548AB-D9E8-4E65-AF24-9F9021F99834",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]
References

Sources include official advisories and independent security research.