CVE-2025-55182

Published Dec 3, 2025

Last updated 6 months ago

Exploit known CVSS critical 10.0

React

react2shell

npm

Cloud

Business logic

Supply chain

Server

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-55182 is a critical unauthenticated remote code execution (RCE) vulnerability found in React Server Components (RSC) versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. This vulnerability affects packages including `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`. The flaw stems from insecure deserialization in the RSC payload handling logic, allowing attacker-controlled data to influence server-side execution. Exploitation requires only a crafted HTTP request. Patches are available for React and Next.js. It is recommended to upgrade to patched React versions such as 19.0.1, 19.1.2, or 19.2.1, and to update frameworks like Next.js to their corresponding patched versions.

Description: A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Source: cve-assign@fb.com
NVD status: Analyzed
Products: react, next.js

Insights

Analysis from the Intruder Security Team

Published Dec 4, 2025 Updated Dec 9, 2025

This vulnerability allows for code execution via a deserialisation vulnerability within the react-server-dom packages. This will affect React, NextJS and downstream projects who utilise these frameworks.

AssetNote released a technical research post and detection technique which is effective at identifying unpatches instances, where as full RCE chains may fail due to WAF's fingerprinting those payloads and bypasses heavily. Vercel's CEO released a simple breakdown of the issue and how it works.

We have witnessed widespread exploitation activity for this vulnerability, especially exploiting this to deploy an in-memory webshell. There has been some community efforts to detect exploitation activity, however exploiting this vulnerability usually leaves little to no trace which is difficult for defenders.

Patching immediately is the only effective strategy for dealing with this vulnerability.

Risk scores

CVSS 3.1

Type: Secondary
Base score: 10
Impact score: 6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: Meta React Server Components Remote Code Execution Vulnerability
Exploit added on: Dec 5, 2025
Exploit action due: Dec 26, 2025
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov: CWE-502

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "C66E1B0F-8C3F-4D27-9F46-B6EC78D8C60B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "C6C1C3E2-542D-4001-BFA9-6CF5A038971D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*",
            "matchCriteriaId": "A0907E1C-E2D2-44A4-AA46-CE80BCA4E015",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "0030B5E1-E79E-4C48-B500-91747FE2751D",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "FC2BCD83-CC87-4CDC-AD9B-2055912A8463",
            "versionEndExcluding": "15.0.5",
            "versionStartIncluding": "15.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "C5E767D4-E46F-4CA6-A22F-4D0671B9B102",
            "versionEndExcluding": "15.1.9",
            "versionStartIncluding": "15.1.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "5EFB6CB7-4A4F-464A-A1D8-62B50DF0B4BA",
            "versionEndExcluding": "15.2.6",
            "versionStartIncluding": "15.2.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "83AF54D7-410D-42B4-853A-8A1973636542",
            "versionEndExcluding": "15.3.6",
            "versionStartIncluding": "15.3.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "3D666EA7-BDAE-4E67-A331-B7403C3AA482",
            "versionEndExcluding": "15.4.8",
            "versionStartIncluding": "15.4.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "E666ECDA-7A29-4D3D-AC40-357F044AD595",
            "versionEndExcluding": "15.5.7",
            "versionStartIncluding": "15.5.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
            "matchCriteriaId": "CF65554E-4BF0-4344-AE7F-9E09E34E084F",
            "versionEndExcluding": "16.0.7",
            "versionStartIncluding": "16.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*",
            "matchCriteriaId": "B209A306-CE1A-448D-8653-7627302399B7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*",
            "matchCriteriaId": "D1DCAC23-7ED0-456B-8AE2-57689199F708",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*",
            "matchCriteriaId": "8B35D612-AC2A-4697-934F-372E4D5EE3F4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*",
            "matchCriteriaId": "A06D2291-5D89-4B76-99E0-52505634A63B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*",
            "matchCriteriaId": "8F01F07A-79F7-4F4B-8E3A-9C7D93C83A63",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*",
            "matchCriteriaId": "9EDA2864-F94B-48EB-98F3-FDBFCECCC4A8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*",
            "matchCriteriaId": "4828BEE0-E891-491B-903D-A50B0E37273C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*",
            "matchCriteriaId": "55723BB4-E62B-4034-A434-485FE0E6BAF5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*",
            "matchCriteriaId": "19F55784-CC11-4024-9A42-EFEEF7B2366F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*",
            "matchCriteriaId": "1D694B0A-9BCF-49C8-A787-B0AFE51C7DC5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*",
            "matchCriteriaId": "C91F9508-E18D-4928-9DF5-DE2DDBEC56D3",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*",
            "matchCriteriaId": "3ED7F693-8012-4F88-BC71-CF108E20664A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*",
            "matchCriteriaId": "40EE98AC-754A-4FD9-B51A-9E2674584FD9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*",
            "matchCriteriaId": "13B41C54-AF21-4637-A852-F997635B4E83",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*",
            "matchCriteriaId": "91B41697-2D70-488D-A5C3-CB9D435560CA",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*",
            "matchCriteriaId": "7D43DB84-7BCF-429B-849A-7189EC1922D0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*",
            "matchCriteriaId": "CEC2346B-8DBD-4D53-9866-CFBDD3AACEF2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*",
            "matchCriteriaId": "2BC95097-8CA6-42FE-98D7-F968E37C11B7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*",
            "matchCriteriaId": "4F8FA85C-1200-4FD2-B5D7-906300748BD4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*",
            "matchCriteriaId": "5D0B177B-2A31-48E9-81C7-1024E2452486",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*",
            "matchCriteriaId": "7CCA01F3-3A14-4450-8A68-B1DA22C685B7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*",
            "matchCriteriaId": "1AB351AE-8C29-4E67-8699-0AAC6B3383E2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*",
            "matchCriteriaId": "14A34D9D-5FA2-434B-836E-3CE63D716CCB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*",
            "matchCriteriaId": "E8440F05-F32B-4D40-90B7-04BF22107D86",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*",
            "matchCriteriaId": "FB6C6F6D-1EC0-4BD9-97A4-CFDE70DF0C43",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*",
            "matchCriteriaId": "6189BD4C-A3E2-451B-96B2-FF01250E946D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*",
            "matchCriteriaId": "389EE453-8B07-45DD-BE9C-277C9C5CB156",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*",
            "matchCriteriaId": "BA4D4638-4734-4B16-87AA-EF4B5D2DDD7A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*",
            "matchCriteriaId": "D54A2E63-6E0C-4E17-86A8-459B0A7EE00B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*",
            "matchCriteriaId": "E6136F0A-3010-4BAD-811B-D047CF5E6F64",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*",
            "matchCriteriaId": "525EFA40-B14B-47E9-8FBD-45721A802DB6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*",
            "matchCriteriaId": "69142944-1EC0-4F94-862E-FA7F2E101101",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*",
            "matchCriteriaId": "30016C06-372D-4F98-84A8-0732CA054970",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*",
            "matchCriteriaId": "E1536E2B-84EC-46A3-9B6F-026364A9D927",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*",
            "matchCriteriaId": "5E6F1F60-30E2-407C-8152-EEEB7EFE24CB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*",
            "matchCriteriaId": "3C907301-2C8F-465B-8134-94130E29F5DB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*",
            "matchCriteriaId": "E81C89FD-40CB-471E-9967-90ACDCF79373",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*",
            "matchCriteriaId": "55E8AEEC-A686-49D6-B298-AEE4E838E769",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*",
            "matchCriteriaId": "CB0618EC-6A0B-4AC3-BF6D-E51AC84C4E15",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*",
            "matchCriteriaId": "7B27F133-8EB4-4761-A706-DF42D4EB55F6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*",
            "matchCriteriaId": "BF975472-B7E7-4AC8-B834-DA19897A4894",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*",
            "matchCriteriaId": "48A82613-F3FD-4E89-8E4A-F3F05A616171",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*",
            "matchCriteriaId": "0D42CA1F-7C21-47C1-8A9C-1015286FCBE2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*",
            "matchCriteriaId": "7C83A4EF-B96F-40EC-BA1F-FE1370AF78AC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*",
            "matchCriteriaId": "C151FDAB-DE34-4A7E-9762-6E99386798BF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*",
            "matchCriteriaId": "53025212-05F0-41FE-81F8-023B1784BB8C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*",
            "matchCriteriaId": "68EAC2B9-32A5-4721-BB35-16D519CD1BBC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*",
            "matchCriteriaId": "7411EF71-CBEB-4127-935F-3C732A1E22AC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*",
            "matchCriteriaId": "0C4B8930-1B65-4894-AFA8-C323AA7A8292",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*",
            "matchCriteriaId": "B4977345-BD8C-41C7-9DD7-1E41D6CC6438",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*",
            "matchCriteriaId": "EFE030A4-5B14-4C2D-B953-E80C98FB26EE",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*",
            "matchCriteriaId": "9F616FD4-83BF-4A9A-AFFD-0D3E2544DC7E",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*",
            "matchCriteriaId": "00512630-8B88-43B0-9ED3-2B33C64CC9A9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*",
            "matchCriteriaId": "A88EEF11-C7DA-4E2D-A030-FC177E696557",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*",
            "matchCriteriaId": "BE8453D9-7275-4A5F-8732-F05662FFF2E8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*",
            "matchCriteriaId": "E306B896-9BBB-424B-8D99-7A1A79AEFE9D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*",
            "matchCriteriaId": "ACA87B86-33D5-4BEA-A13D-EEB4922D511E",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*",
            "matchCriteriaId": "77AA0D23-B101-445C-A260-ED3152A93D17",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*",
            "matchCriteriaId": "7D7DCCF7-FC83-4767-A0C2-C84A8B14F93B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*",
            "matchCriteriaId": "FD397568-7F1F-4153-AF08-B22D4D3B45F9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*",
            "matchCriteriaId": "984416EF-B121-40CE-B3AD-E22A06BB5844",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*",
            "matchCriteriaId": "C4B58652-EE24-43CF-8ABE-4A01B2C9938C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*",
            "matchCriteriaId": "8090CF73-AEA7-43FC-A960-321BED3B1682",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*",
            "matchCriteriaId": "823164E5-609D-4F24-86A5-E25618FE86A7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*",
            "matchCriteriaId": "E13CD688-63C3-4FFA-9D13-696005F0C155",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*",
            "matchCriteriaId": "B397B18C-8A7A-4766-9A68-98B26E190A4A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*",
            "matchCriteriaId": "2DB345E3-BAD0-497E-93AE-5E4DC669C192",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*",
            "matchCriteriaId": "840FEB19-2C66-4004-A488-B90219F8AC05",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*",
            "matchCriteriaId": "C260F966-73D7-43F3-A329-8C558A695821",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:*",
            "matchCriteriaId": "28130A79-39B5-43E8-A690-C8E9C62483F8",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:*",
            "matchCriteriaId": "5E8548AB-D9E8-4E65-AF24-9F9021F99834",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.