Cyber Posture

CVE-2025-55182

CriticalCISA KEVActive ExploitationRansomware-linked

Published: 03 December 2025

Published
03 December 2025
Modified
10 December 2025
KEV Added
05 December 2025
Patch
03 December 2025
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.8201 99.2th percentile
Risk Priority 89 60% EPSS · 20% KEV · 20% CVSS

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the unsafe deserialization flaw in React Server Components as outlined in vendor advisories, directly eliminating the RCE vulnerability.

SI-10 Information Input Validation good match
prevent

Enforces validation and sanitization of untrusted HTTP payloads before deserialization, preventing exploitation of CWE-502 in Server Function endpoints.

SC-7 Boundary Protection partial match
preventdetect

Boundary protection devices inspect and filter malicious HTTP requests targeting exposed Server Function endpoints, mitigating pre-auth RCE attempts.

Security SummaryAI

CVE-2025-55182 is a pre-authentication remote code execution vulnerability affecting React Server Components in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw arises from vulnerable code that unsafely deserializes payloads from HTTP requests sent to Server Function endpoints. Published on 2025-12-03, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-502 (Deserialization of Untrusted Data).

Unauthenticated remote attackers can exploit this vulnerability by crafting and sending malicious HTTP requests to exposed Server Function endpoints, triggering deserialization and achieving arbitrary remote code execution on the affected server. The attack requires no privileges, user interaction, or special access, with low complexity and network accessibility enabling broad exploitation potential, including full confidentiality, integrity, and availability impacts due to the changed scope.

Advisories from React at https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components and Facebook at https://www.facebook.com/security/advisories/cve-2025-55182 outline mitigations and patches. Further technical discussion appears on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2025/12/03/4 and Hacker News at https://news.ycombinator.com/item?id=46136026.

An AWS security blog notes rapid real-world exploitation by China-nexus cyber threat groups, dubbing the issue "react2shell" (https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/).

Details

CWE(s)
CWE-502
KEV Date Added
05 December 2025

Affected Products

facebook
react
19.0.0, 19.1.0, 19.1.1, 19.2.0
vercel
next.js
14.3.0, 15.6.0, 16.0.0 · 15.0.0 — 15.0.5 · 15.1.0 — 15.1.9 · 15.2.0 — 15.2.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated remote code execution via crafted HTTP requests to exposed public-facing Server Function endpoints in React Server Components, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References