CVE-2025-55182
CVE-2025-55182 is a critical-severity vulnerability in Facebook React with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-12-05). The underlying weakness is classified as CWE-502.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-12-05)
- EU (EUVD) id: EUVD-2025-200983
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-12-05)
- Weakness: CWE-502
- Affected product: Facebook React
- Published:
- Last modified:
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
CVE-2025-55182: Critical Pre-Auth RCE in React Server Components via Unsafe Deserialization
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-55182 |
| CVSS v3.1 | 10.0 (Critical) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-502: Deserialization of Untrusted Data |
| EPSS | 99.56% (Percentile: 99.94%) |
| KEV | Yes (Added 2025-12-05) |
| EU Exploited | Yes (Since 2025-12-05) |
| Ransomware | Associated |
| Published | 2025-12-03 |
| Assigner | Meta / Facebook ([email protected]) |
Summary
CVE-2025-55182 is a pre-authentication remote code execution (RCE) vulnerability affecting React Server Components versions 19.0.0 through 19.2.0. The flaw resides in the server-side deserialization logic that handles incoming HTTP requests to Server Function endpoints. An unauthenticated remote attacker can exploit this weakness to execute arbitrary code on the target server by submitting a maliciously crafted serialized payload. The vulnerability carries a CVSS v3.1 score of 10.0 and has been actively exploited in the wild by threat actors since early December 2025, including in ransomware campaigns.
Background
React Server Components (RSC) is an architecture introduced by the React team to enable server-side rendering of React components with zero client-side JavaScript overhead for static portions of a page. The framework uses Server Functions — special functions marked with the "use server" directive — that execute on the server and can be called remotely from the client.
The affected packages — react-server-dom-webpack, react-server-dom-turbopack, and react-server-dom-parcel — provide the server-side transport layers that handle serialization and deserialization of props, actions, and function arguments between client and server. These packages are foundational to modern React meta-frameworks, most notably Next.js, which bundles them by default in its App Router implementation.
Root Cause
CWE-502: Deserialization of Untrusted Data
The root cause is the unsafe deserialization of attacker-controlled payloads at Server Function entry points. When a client invokes a Server Function, the React RSC runtime deserializes the HTTP request body to reconstruct function arguments and component props. The deserialization routine in affected versions fails to adequately validate or sanitize the incoming data stream, allowing an attacker to embed malicious objects or type confusion payloads that the runtime will instantiate and execute during the deserialization process.
This is a classic deserialization vulnerability class: the server trusts the structure and content of the serialized payload, and the underlying deserialization library or custom parser performs dangerous operations (such as invoking constructors, setters, or prototype methods) on attacker-controlled input. In this case, the chain leads directly to arbitrary code execution within the Node.js server process.
Impact
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H reflects the maximum severity of this flaw:
- Attack Vector (AV:N): Network — exploitable remotely without any network-level mitigations.
- Attack Complexity (AC:L): Low — no special conditions or race windows are required.
- Privileges Required (PR:N): None — fully unauthenticated.
- User Interaction (UI:N): None — can be triggered by a single crafted HTTP request.
- Scope (S:C): Changed — exploitation can affect resources beyond the vulnerable component, including the underlying host.
- Confidentiality, Integrity, Availability (C:H/I:H/A:H): Complete compromise of the application and potentially the server.
Real-world impact: The vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog with a due date of 2025-12-05. AWS security researchers have publicly attributed active exploitation to China-nexus cyber threat groups, who have incorporated this flaw into broader intrusion chains. The EPSS score of 0.99562 places it in the 99.94th percentile, indicating near-certain probability of exploitation in the wild. Ransomware operators have also been observed leveraging this vulnerability.
Exploitation Walkthrough
Ethics caveat: The following description is intentionally high-level and framed from a defensive perspective. No weaponized exploit code is provided. Security practitioners should use this information to build detection rules and validation tests, not to attack systems without authorization.
-
Reconnaissance: The attacker identifies a target running React Server Components 19.x with Server Functions enabled. Common indicators include Next.js App Router deployments, RSC payload endpoints (
/_rsc,/action, or framework-specific action routes), or the presence ofreact-server-dom-*packages in the dependency tree. -
Payload Crafting: The attacker constructs a serialized payload that abuses the deserialization path. The exact structure depends on the specific deserialization implementation, but typically involves embedding objects with malicious constructors, prototype pollution chains, or unexpected type tags that the server-side parser will execute during reconstruction.
-
Delivery: The payload is sent as an HTTP POST request to a Server Function endpoint. Because the vulnerability is pre-authentication, no session tokens, CSRF tokens, or user credentials are required.
-
Execution: The server deserializes the payload, triggering the attacker-supplied code within the Node.js process. This yields shell-level access under the same privileges as the web server process.
-
Post-Exploitation: With code execution established, the attacker may deploy web shells, exfiltrate environment variables (often containing database credentials, API keys, and cloud tokens), pivot to internal networks, or drop ransomware payloads.
Affected and Patched Versions
Affected npm packages (React Server Components):
react-server-dom-webpack— versions 19.0.0, 19.1.0, 19.1.1, 19.2.0react-server-dom-turbopack— versions 19.0.0, 19.1.0, 19.1.1, 19.2.0react-server-dom-parcel— versions 19.0.0, 19.1.0, 19.1.1, 19.2.0
Patched versions:
- React 19.0.1, 19.1.2, and 19.2.1
Affected downstream framework (Next.js):
- Multiple Next.js canary versions (14.3.0-canary77 through canary87, 15.6.0-canary0 through canary57)
- Next.js 16.0.0
Note: The Next.js team typically releases security patches shortly after upstream React fixes. Verify your Next.js version against the project's security advisories and upgrade to a non-vulnerable release.
Remediation
Priority: Immediate — patch within 24 hours if internet-facing.
- Upgrade React Server Components packages to the latest patched versions (≥ 19.0.1, ≥ 19.1.2, or ≥ 19.2.1, depending on your current minor version).
- Upgrade Next.js to a version that bundles the fixed React server packages. Consult the Next.js security advisory for exact patched versions.
- Verify lock files: After upgrading, delete
node_modulesand your package lock file (package-lock.json,yarn.lock, orpnpm-lock.yaml), then reinstall to ensure transitive dependencies are resolved to the fixed versions. - Compensating controls (if patching is delayed):
- Place Server Function endpoints behind an authentication layer or API gateway that blocks unauthenticated requests.
- Implement strict input validation and size limits on all RSC action endpoints.
- Deploy Web Application Firewall (WAF) rules to detect anomalous serialized payloads.
- Run the application in a sandboxed container with minimal privileges, seccomp-bpf profiles, and read-only filesystems.
Detection
- Network monitoring: Look for unusual POST requests to Server Function endpoints containing large or structured binary payloads that do not match legitimate RSC action patterns.
- Runtime monitoring: Alert on unexpected child process spawns, file system writes, or network connections initiated by the Node.js application process.
- Dependency scanning: Use
npm audit, Snyk, or OWASP Dependency-Check to flag installations ofreact-server-dom-*in the 19.0.0–19.2.0 range. - Log analysis: Review access logs for repeated 500 errors or anomalous response times on action endpoints, which may indicate deserialization failures during exploit attempts.
Assessment
CVE-2025-55182 is an unauthenticated critical RCE with a near-perfect EPSS score and confirmed active exploitation by nation-state and ransomware actors. The combination of a 10.0 CVSS score, CISA KEV listing, and EU exploited status makes this one of the highest-priority vulnerabilities for any organization running React Server Components in 2025.
Key lessons:
- Deserialization is dangerous: Any code path that deserializes attacker-controlled input should be treated as a critical security boundary and subjected to strict input validation, allow-listing, and sandboxing.
- Supply-chain velocity matters: Because React Server Components is a core dependency of Next.js — one of the most popular React frameworks — a vulnerability here has an outsized blast radius. Maintaining rapid patch cycles for framework-level dependencies is essential.
References
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://www.facebook.com/security/advisories/cve-2025-55182
- http://www.openwall.com/lists/oss-security/2025/12/03/4
- https://news.ycombinator.com/item?id=46136026
- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
- https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
- https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- https://github.com/facebook/react/pull/35277
- https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700
- https://github.com/facebook/react/releases/tag/v19.0.1
- https://github.com/facebook/react/releases/tag/v19.1.2
- https://github.com/facebook/react/releases/tag/v19.2.1
Frequently asked questions
- What is CVE-2025-55182?
- A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
- How severe is CVE-2025-55182?
- CVE-2025-55182 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-55182 being actively exploited?
- Yes. CVE-2025-55182 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-12-05, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-55182?
- CVE-2025-55182 primarily affects Facebook React. In total, 76 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-55182?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-55182 have an EU (EUVD) identifier?
- Yes. CVE-2025-55182 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-200983. It is also flagged as exploited in the EUVD (since 2025-12-05).
- When was CVE-2025-55182 published?
- CVE-2025-55182 was published on 2025-12-03 and last updated on 2026-06-17.
References
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://www.facebook.com/security/advisories/cve-2025-55182
- http://www.openwall.com/lists/oss-security/2025/12/03/4
- https://news.ycombinator.com/item?id=46136026
- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
Affected products (76)
- cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*
- cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*
More vulnerabilities in Facebook React
- CVE-2026-23864 — High (CVSS 7.5): Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages:…
- CVE-2025-67779 — High (CVSS 7.5): It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a…
- CVE-2025-55184 — High (CVSS 7.5): A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0,…
- CVE-2018-6341 — Medium (CVSS 6.1): React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names…
- CVE-2025-55183 — Medium (CVSS 5.3): An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1…
All CVEs affecting Facebook React →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →