Vulnerability-Lookup

CVE-2025-55182 (GCVE-0-2025-55182)

Vulnerability from cvelistv5 – Published: 2025-12-03 15:40 – Updated: 2026-02-26 16:57

CISA KEV EUVD KEV

Summary

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Severity

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC

Exploitation: active Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

Deserialization of Untrusted Data (CWE-502)

Assigner

URL	Tags
https://www.facebook.com/security/advisories/cve-…	x_refsource_CONFIRM
https://react.dev/blog/2025/12/03/critical-securi…	x_refsource_CONFIRM
https://aws.amazon.com/blogs/security/china-nexus…	media-coverage
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource
http://www.openwall.com/lists/oss-security/2025/12/03/4
https://news.ycombinator.com/item?id=46136026

Vendor	Product	Version
Meta	react-server-dom-webpack	Affected: 19.0.0 , ≤ 19.0.0 (semver) Affected: 19.1.0 , ≤ 19.1.1 (semver) Affected: 19.2.0 , ≤ 19.2.0 (semver)
Meta	react-server-dom-turbopack	Affected: 19.0.0 , ≤ 19.0.0 (semver) Affected: 19.1.0 , ≤ 19.1.1 (semver) Affected: 19.2.0 , ≤ 19.2.0 (semver)
Meta	react-server-dom-parcel	Affected: 19.0.0 , ≤ 19.0.0 (semver) Affected: 19.1.0 , ≤ 19.1.1 (semver) Affected: 19.2.0 , ≤ 19.2.0 (semver)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: f2499bae-8284-4870-958d-78827499a50b

Vulnerability ID: CVE-2025-55182

Status: Confirmed

Status Updated: 2025-12-05 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2025-12-05

Asserted: 2025-12-05

Scope

Notes: KEV entry: Meta React Server Components Remote Code Execution Vulnerability | Affected: Meta / React Server Components | Description: Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2025-12-12 | Known ransomware campaign use (KEV): Known | Notes (KEV): Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://github.com/vercel-labs/fix-react2shell-next?tab=readme-ov-file ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	React Server Components
Due Date	2025-12-12
Date Added	2025-12-05
Vendorproject	Meta
Vulnerabilityname	Meta React Server Components Remote Code Execution Vulnerability
Knownransomwarecampaignuse	Known

References

CVE-2025-55182

Created: 2026-02-02 12:25 UTC | Updated: 2026-02-06 07:17 UTC

EUVD KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: fe0059d8-6b86-4e56-99cf-a4411838fa90

Vulnerability ID: CVE-2025-55182

Status: Confirmed

Status Updated: 2026-04-08 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2026-04-08

Asserted: 2026-04-08

Scope

Notes: Affected: Meta / React Server Components | Description: Flaw in how React decodes payloads sent to React Server Function endpoints enabled unauthenticated remote code execution. Apps supporting React Server Components may still be vulnerable even if not implementing any React Server Function endpoints. | Exploitation type: APT | Threat actors: unknown | Origin source: cnw | Notes: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions

Evidence

Type: Csirt Report

Signal: Successful Exploitation

Confidence: 75%

Source: enisa-cnw-kev

Details

Cwes	-
Euvd	EUVD-2025-2009839
Notes	https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions
Catalog	ENISA / EU CSIRTs Network (CNW) KEV JSON
Product	React Server Components
Datereported	2026/04/08
Originsource	cnw
Vendorproject	Meta
Exploitationtype	APT
Vulnerabilityname	-
Threatactorsexploiting	unknown

References

Created: 2026-06-05 17:04 UTC | Updated: 2026-06-05 17:04 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55182",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-06T04:55:43.783137Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-12-05",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T16:57:36.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "media-coverage"
            ],
            "url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-12-05T00:00:00.000Z",
            "value": "CVE-2025-55182 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-12-04T17:32:12.884Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
          },
          {
            "url": "https://news.ycombinator.com/item?id=46136026"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "react-server-dom-webpack",
          "vendor": "Meta",
          "versions": [
            {
              "lessThanOrEqual": "19.0.0",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "19.1.1",
              "status": "affected",
              "version": "19.1.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "19.2.0",
              "status": "affected",
              "version": "19.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "react-server-dom-turbopack",
          "vendor": "Meta",
          "versions": [
            {
              "lessThanOrEqual": "19.0.0",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "19.1.1",
              "status": "affected",
              "version": "19.1.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "19.2.0",
              "status": "affected",
              "version": "19.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "react-server-dom-parcel",
          "vendor": "Meta",
          "versions": [
            {
              "lessThanOrEqual": "19.0.0",
              "status": "affected",
              "version": "19.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "19.1.1",
              "status": "affected",
              "version": "19.1.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "19.2.0",
              "status": "affected",
              "version": "19.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "dateAssigned": "2025-12-02T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Deserialization of Untrusted Data (CWE-502)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-11T20:15:37.699Z",
        "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "shortName": "Meta"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.facebook.com/security/advisories/cve-2025-55182"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
    "assignerShortName": "Meta",
    "cveId": "CVE-2025-55182",
    "datePublished": "2025-12-03T15:40:56.894Z",
    "dateReserved": "2025-08-08T18:21:47.119Z",
    "dateUpdated": "2026-02-26T16:57:36.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-55182",
      "dateAdded": "2025-12-05",
      "dueDate": "2025-12-12",
      "knownRansomwareCampaignUse": "Known",
      "notes": "Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://github.com/vercel-labs/fix-react2shell-next?tab=readme-ov-file ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182",
      "product": "React Server Components",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.",
      "vendorProject": "Meta",
      "vulnerabilityName": "Meta React Server Components Remote Code Execution Vulnerability"
    },
    "epss": {
      "cve": "CVE-2025-55182",
      "date": "2026-06-06",
      "epss": "0.84489",
      "percentile": "0.99345"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-55182\",\"sourceIdentifier\":\"cve-assign@fb.com\",\"published\":\"2025-12-03T16:15:56.463\",\"lastModified\":\"2025-12-06T02:00:02.510\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-assign@fb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"cisaExploitAdd\":\"2025-12-05\",\"cisaActionDue\":\"2025-12-26\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Meta React Server Components Remote Code Execution Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C66E1B0F-8C3F-4D27-9F46-B6EC78D8C60B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C6C1C3E2-542D-4001-BFA9-6CF5A038971D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A0907E1C-E2D2-44A4-AA46-CE80BCA4E015\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0030B5E1-E79E-4C48-B500-91747FE2751D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"15.0.0\",\"versionEndExcluding\":\"15.0.5\",\"matchCriteriaId\":\"FC2BCD83-CC87-4CDC-AD9B-2055912A8463\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"15.1.0\",\"versionEndExcluding\":\"15.1.9\",\"matchCriteriaId\":\"C5E767D4-E46F-4CA6-A22F-4D0671B9B102\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"15.2.0\",\"versionEndExcluding\":\"15.2.6\",\"matchCriteriaId\":\"5EFB6CB7-4A4F-464A-A1D8-62B50DF0B4BA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"15.3.0\",\"versionEndExcluding\":\"15.3.6\",\"matchCriteriaId\":\"83AF54D7-410D-42B4-853A-8A1973636542\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"15.4.0\",\"versionEndExcluding\":\"15.4.8\",\"matchCriteriaId\":\"3D666EA7-BDAE-4E67-A331-B7403C3AA482\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"15.5.0\",\"versionEndExcluding\":\"15.5.7\",\"matchCriteriaId\":\"E666ECDA-7A29-4D3D-AC40-357F044AD595\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndExcluding\":\"16.0.7\",\"matchCriteriaId\":\"CF65554E-4BF0-4344-AE7F-9E09E34E084F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"B209A306-CE1A-448D-8653-7627302399B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"D1DCAC23-7ED0-456B-8AE2-57689199F708\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"8B35D612-AC2A-4697-934F-372E4D5EE3F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"A06D2291-5D89-4B76-99E0-52505634A63B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"8F01F07A-79F7-4F4B-8E3A-9C7D93C83A63\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"9EDA2864-F94B-48EB-98F3-FDBFCECCC4A8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"4828BEE0-E891-491B-903D-A50B0E37273C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"55723BB4-E62B-4034-A434-485FE0E6BAF5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"19F55784-CC11-4024-9A42-EFEEF7B2366F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"1D694B0A-9BCF-49C8-A787-B0AFE51C7DC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"C91F9508-E18D-4928-9DF5-DE2DDBEC56D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"3ED7F693-8012-4F88-BC71-CF108E20664A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"40EE98AC-754A-4FD9-B51A-9E2674584FD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"13B41C54-AF21-4637-A852-F997635B4E83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"91B41697-2D70-488D-A5C3-CB9D435560CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"7D43DB84-7BCF-429B-849A-7189EC1922D0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"CEC2346B-8DBD-4D53-9866-CFBDD3AACEF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"2BC95097-8CA6-42FE-98D7-F968E37C11B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"4F8FA85C-1200-4FD2-B5D7-906300748BD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"5D0B177B-2A31-48E9-81C7-1024E2452486\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"7CCA01F3-3A14-4450-8A68-B1DA22C685B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"1AB351AE-8C29-4E67-8699-0AAC6B3383E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"14A34D9D-5FA2-434B-836E-3CE63D716CCB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E8440F05-F32B-4D40-90B7-04BF22107D86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"FB6C6F6D-1EC0-4BD9-97A4-CFDE70DF0C43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"6189BD4C-A3E2-451B-96B2-FF01250E946D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"389EE453-8B07-45DD-BE9C-277C9C5CB156\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"BA4D4638-4734-4B16-87AA-EF4B5D2DDD7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"D54A2E63-6E0C-4E17-86A8-459B0A7EE00B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E6136F0A-3010-4BAD-811B-D047CF5E6F64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"525EFA40-B14B-47E9-8FBD-45721A802DB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"69142944-1EC0-4F94-862E-FA7F2E101101\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"30016C06-372D-4F98-84A8-0732CA054970\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E1536E2B-84EC-46A3-9B6F-026364A9D927\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"5E6F1F60-30E2-407C-8152-EEEB7EFE24CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"3C907301-2C8F-465B-8134-94130E29F5DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E81C89FD-40CB-471E-9967-90ACDCF79373\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"55E8AEEC-A686-49D6-B298-AEE4E838E769\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"CB0618EC-6A0B-4AC3-BF6D-E51AC84C4E15\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"7B27F133-8EB4-4761-A706-DF42D4EB55F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"BF975472-B7E7-4AC8-B834-DA19897A4894\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"48A82613-F3FD-4E89-8E4A-F3F05A616171\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"0D42CA1F-7C21-47C1-8A9C-1015286FCBE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"7C83A4EF-B96F-40EC-BA1F-FE1370AF78AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"C151FDAB-DE34-4A7E-9762-6E99386798BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"53025212-05F0-41FE-81F8-023B1784BB8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"68EAC2B9-32A5-4721-BB35-16D519CD1BBC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"7411EF71-CBEB-4127-935F-3C732A1E22AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"0C4B8930-1B65-4894-AFA8-C323AA7A8292\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"B4977345-BD8C-41C7-9DD7-1E41D6CC6438\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"EFE030A4-5B14-4C2D-B953-E80C98FB26EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"9F616FD4-83BF-4A9A-AFFD-0D3E2544DC7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"00512630-8B88-43B0-9ED3-2B33C64CC9A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"A88EEF11-C7DA-4E2D-A030-FC177E696557\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"BE8453D9-7275-4A5F-8732-F05662FFF2E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E306B896-9BBB-424B-8D99-7A1A79AEFE9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"ACA87B86-33D5-4BEA-A13D-EEB4922D511E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"77AA0D23-B101-445C-A260-ED3152A93D17\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"7D7DCCF7-FC83-4767-A0C2-C84A8B14F93B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"FD397568-7F1F-4153-AF08-B22D4D3B45F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"984416EF-B121-40CE-B3AD-E22A06BB5844\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"C4B58652-EE24-43CF-8ABE-4A01B2C9938C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"8090CF73-AEA7-43FC-A960-321BED3B1682\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"823164E5-609D-4F24-86A5-E25618FE86A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"E13CD688-63C3-4FFA-9D13-696005F0C155\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"B397B18C-8A7A-4766-9A68-98B26E190A4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"2DB345E3-BAD0-497E-93AE-5E4DC669C192\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"840FEB19-2C66-4004-A488-B90219F8AC05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"C260F966-73D7-43F3-A329-8C558A695821\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"28130A79-39B5-43E8-A690-C8E9C62483F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"5E8548AB-D9E8-4E65-AF24-9F9021F99834\"}]}]}],\"references\":[{\"url\":\"https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\",\"source\":\"cve-assign@fb.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.facebook.com/security/advisories/cve-2025-55182\",\"source\":\"cve-assign@fb.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/12/03/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://news.ycombinator.com/item?id=46136026\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/12/03/4\"}, {\"url\": \"https://news.ycombinator.com/item?id=46136026\"}], \"x_generator\": {\"engine\": \"ADPogram 0.0.1\"}, \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-12-04T17:32:12.884Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55182\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-06T04:55:43.783137Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-12-05\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-12-05T00:00:00.000Z\", \"value\": \"CVE-2025-55182 added to CISA KEV\"}], \"references\": [{\"url\": \"https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/\", \"tags\": [\"media-coverage\"]}, {\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-03T16:30:54.157Z\"}}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 10, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Meta\", \"product\": \"react-server-dom-webpack\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.0.0\"}, {\"status\": \"affected\", \"version\": \"19.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.1.1\"}, {\"status\": \"affected\", \"version\": \"19.2.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.2.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Meta\", \"product\": \"react-server-dom-turbopack\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.0.0\"}, {\"status\": \"affected\", \"version\": \"19.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.1.1\"}, {\"status\": \"affected\", \"version\": \"19.2.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.2.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Meta\", \"product\": \"react-server-dom-parcel\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.0.0\"}, {\"status\": \"affected\", \"version\": \"19.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.1.1\"}, {\"status\": \"affected\", \"version\": \"19.2.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.2.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.facebook.com/security/advisories/cve-2025-55182\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"dateAssigned\": \"2025-12-02T00:00:00.000Z\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"Deserialization of Untrusted Data (CWE-502)\"}]}], \"providerMetadata\": {\"orgId\": \"4fc57720-52fe-4431-a0fb-3d2c8747b827\", \"shortName\": \"Meta\", \"dateUpdated\": \"2025-12-11T20:15:37.699Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-55182\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T16:57:36.794Z\", \"dateReserved\": \"2025-08-08T18:21:47.119Z\", \"assignerOrgId\": \"4fc57720-52fe-4431-a0fb-3d2c8747b827\", \"datePublished\": \"2025-12-03T15:40:56.894Z\", \"assignerShortName\": \"Meta\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-FV66-9V8Q-G76R

Vulnerability from github – Published: 2025-12-03 19:07 – Updated: 2025-12-09 16:53

Summary

React Server Components are Vulnerable to RCE

Details

Impact

There is an unauthenticated remote code execution vulnerability in React Server Components.

We recommend upgrading immediately.

The vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of: * react-server-dom-webpack * react-server-dom-parcel * react-server-dom-turbopack

Patches

A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

References

See the blog post for more information and upgrade instructions.

Severity

10.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-webpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-webpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.1.0"
            },
            {
              "fixed": "19.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-webpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.2.0"
            },
            {
              "fixed": "19.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-turbopack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-turbopack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.1.0"
            },
            {
              "fixed": "19.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-turbopack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.2.0"
            },
            {
              "fixed": "19.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-parcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-parcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.1.0"
            },
            {
              "fixed": "19.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-parcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.2.0"
            },
            {
              "fixed": "19.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-03T19:07:39Z",
    "nvd_published_at": "2025-12-03T16:15:56Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app\u2019s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.",
  "id": "GHSA-fv66-9v8q-g76r",
  "modified": "2025-12-09T16:53:23Z",
  "published": "2025-12-03T19:07:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/pull/35277"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ejpir/CVE-2025-55182-poc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/facebook/react"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/releases/tag/v19.0.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/releases/tag/v19.1.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/releases/tag/v19.2.1"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=46136026"
    },
    {
      "type": "WEB",
      "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2025-55182"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "React Server Components are Vulnerable to RCE"
}

NCSC-2025-0380

Vulnerability from csaf_ncscnl - Published: 2025-12-03 20:11 - Updated: 2025-12-05 12:13

Summary

Kwetsbaarheden verholpen in React Server Components

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten: React heeft kwetsbaarheden verholpen in bepaalde versies van React Server Components (specifiek voor versies 19.0.0, 19.1.0, 19.1.1 en 19.2.0).

Interpretaties: Een ongeauthenticeerde aanvaller kan een malafide HTTP-verzoek sturen naar elke Server Function-endpoint dat, wanneer het door React wordt verwerkt, kan leiden tot remote code execution op de server. Echter, zelfs als een Server Function-endpoint niet is geïmplementeerd, kan exploitatie nog steeds mogelijk zijn via React Server Components. Door deze fout kunnen aanvallers op afstand willekeurige code uitvoeren, wat de integriteit van de getroffen applicaties ernstig in gevaar brengt. De kwetsbaarheid bevindt zich in de React versies 19.0, 19.1.0, 19.1.1 en 19.2.0 van: - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack Als bovengenoemde pakketten worden gebruikt, upgrade dan onmiddellijk. Deze kwetsbaarheid is verholpen in de versies 19.0.1, 19.1.2 en 19.2.1. Als de React-code van uw applicatie geen server gebruikt, is uw applicatie niet gevoelig voor deze kwetsbaarheid. Eveneens, als uw applicatie geen framework, bundler of bundler-plugin gebruikt die React Server Components ondersteunt, is uw applicatie niet getroffen. De volgende React-frameworks en bundlers zijn getroffen: - Next - React Router - Waku - @parcel/rsc - @vitejs/plugin-rsc - rwsdk De kwetsbaarheid treft ook Next.js met App Router, en heeft hiervoor aanvankelijk het kenmerk CVE-2025-66478 toegewezen gekregen, maar is inmiddels als zelfstandig CVE-id teruggetrokken. De kwetsbaarheid bevindt zich in de Next.js-versies 14.3.0-canary, 15.x en 16.x en is verholpen in de volgende gepatchte versies: 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 en 16.0.7. **Update**: Het NCSC heeft middels een openbare bron vernomen dat misbruik van de kwetsbaarheid met kenmerk CVE-2025-55182 sinds 3 december is waargenomen. Inmiddels is er publieke proof-of-conceptcode beschikbaar voor de betreffende kwetsbaarheid, wat het risico op grootschalig misbruik verhoogt.

Oplossingen: React heeft beveiligingsupdates uitgebracht om de kwetsbaarhedeid te verhelpen. Het NCSC adviseert om deze updates zo snel mogelijk te installeren. Zie de instructies van React voor meer informatie.

Dreigingsinformatie: Er is publieke PoC code beschrikbaar voor CVE-2025-55182 wat het risico op misbruik verhoogt.

Kans: high

Schade: high

CWE-502: Deserialization of Untrusted Data

CVE-2025-55182

React Server Components versions 19.0.0 to 19.2.0 contain a critical unauthenticated remote code execution vulnerability due to unsafe deserialization of HTTP request payloads, necessitating immediate upgrades to fixed versions.

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Known affected 6 products

Product	Identifier	Version	Remediation
vers:unknown/* Meta / react-server-dom-parcel		vers:unknown/*
vers:unknown/* Meta / react-server-dom-turbopack		vers:unknown/*
vers:unknown/* Meta / react-server-dom-webpack		vers:unknown/*
vers:unknown/* Meta Open Source / react-server-dom-parcel		vers:unknown/*
vers:unknown/* Meta Open Source / react-server-dom-turbopack		vers:unknown/*
vers:unknown/* Meta Open Source / react-server-dom-webpack		vers:unknown/*

CVE-2025-66478

A vulnerability tracked as CVE-2025-55182 has been identified in specific React packages, including Next.js versions 15.x and 16.x, necessitating upgrades to patched versions.

10.0 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Affected products

Known affected 6 products

Product	Identifier	Version	Remediation
vers:unknown/* Meta / react-server-dom-parcel		vers:unknown/*
vers:unknown/* Meta / react-server-dom-turbopack		vers:unknown/*
vers:unknown/* Meta / react-server-dom-webpack		vers:unknown/*
vers:unknown/* Meta Open Source / react-server-dom-parcel		vers:unknown/*
vers:unknown/* Meta Open Source / react-server-dom-turbopack		vers:unknown/*
vers:unknown/* Meta Open Source / react-server-dom-webpack		vers:unknown/*

References

7 references

URL	Category
https://aws.amazon.com/blogs/security/china-nexus…	external
https://nvd.nist.gov/vuln/detail/CVE-2025-55182	external
https://nvd.nist.gov/vuln/detail/CVE-2025-66478	external
https://react.dev/blog/2025/12/03/critical-securi…	external
https://www.wiz.io/blog/critical-vulnerability-in…	external
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self
https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "React heeft kwetsbaarheden verholpen in bepaalde versies van React Server Components (specifiek voor versies 19.0.0, 19.1.0, 19.1.1 en 19.2.0).",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een ongeauthenticeerde aanvaller kan een malafide HTTP-verzoek sturen naar elke Server Function-endpoint dat, wanneer het door React wordt verwerkt, kan leiden tot remote code execution op de server. Echter, zelfs als een Server Function-endpoint niet is ge\u00efmplementeerd, kan exploitatie nog steeds mogelijk zijn via React Server Components. Door deze fout kunnen aanvallers op afstand willekeurige code uitvoeren, wat de integriteit van de getroffen applicaties ernstig in gevaar brengt.\n\nDe kwetsbaarheid bevindt zich in de React versies 19.0, 19.1.0, 19.1.1 en 19.2.0 van:\n\n- react-server-dom-webpack\n- react-server-dom-parcel\n- react-server-dom-turbopack\n\nAls bovengenoemde pakketten worden gebruikt, upgrade dan onmiddellijk. Deze kwetsbaarheid is verholpen in de versies 19.0.1, 19.1.2 en 19.2.1. Als de React-code van uw applicatie geen server gebruikt, is uw applicatie niet gevoelig voor deze kwetsbaarheid. Eveneens, als uw applicatie geen framework, bundler of bundler-plugin gebruikt die React Server Components ondersteunt, is uw applicatie niet getroffen. \n\nDe volgende React-frameworks en bundlers zijn getroffen: \n\n- Next\n- React Router\n- Waku\n- @parcel/rsc\n- @vitejs/plugin-rsc\n- rwsdk\n\nDe kwetsbaarheid treft ook Next.js met App Router, en heeft hiervoor aanvankelijk het kenmerk CVE-2025-66478 toegewezen gekregen, maar is inmiddels als zelfstandig CVE-id teruggetrokken. De kwetsbaarheid bevindt zich in de Next.js-versies 14.3.0-canary, 15.x en 16.x en is verholpen in de volgende gepatchte versies: 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 en 16.0.7.\n\n**Update**: Het NCSC heeft middels een openbare bron vernomen dat misbruik van de kwetsbaarheid met kenmerk CVE-2025-55182 sinds 3 december is waargenomen. Inmiddels is er publieke proof-of-conceptcode beschikbaar voor de betreffende kwetsbaarheid, wat het risico op grootschalig misbruik verhoogt.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "React heeft beveiligingsupdates uitgebracht om de kwetsbaarhedeid te verhelpen. Het NCSC adviseert om deze updates zo snel mogelijk te installeren. Zie de instructies van React voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "description",
        "text": "Er is publieke PoC code beschrikbaar voor CVE-2025-55182 wat het risico op misbruik verhoogt.",
        "title": "Dreigingsinformatie"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Deserialization of Untrusted Data",
        "title": "CWE-502"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66478"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182"
      }
    ],
    "title": "Kwetsbaarheden verholpen in React Server Components",
    "tracking": {
      "current_release_date": "2025-12-05T12:13:36.590522Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0380",
      "initial_release_date": "2025-12-03T20:11:57.728117Z",
      "revision_history": [
        {
          "date": "2025-12-03T20:11:57.728117Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        },
        {
          "date": "2025-12-05T12:13:36.590522Z",
          "number": "1.0.1",
          "summary": "Het NCSC heeft middels een openbare bron vernomen dat misbruik van de kwetsbaarheid met kenmerk CVE-2025-55182 sinds 3 december is waargenomen. Inmiddels is er publieke proof-of-conceptcode beschikbaar voor de betreffende kwetsbaarheid, wat het risico op misbruik verhoogt."
        }
      ],
      "status": "final",
      "version": "1.0.1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-parcel"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-turbopack"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-webpack"
          }
        ],
        "category": "vendor",
        "name": "Meta"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-parcel"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-turbopack"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-webpack"
          }
        ],
        "category": "vendor",
        "name": "Meta Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-55182",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "description",
          "text": "React Server Components versions 19.0.0 to 19.2.0 contain a critical unauthenticated remote code execution vulnerability due to unsafe deserialization of HTTP request payloads, necessitating immediate upgrades to fixed versions.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55182 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55182.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6"
          ]
        }
      ],
      "title": "CVE-2025-55182"
    },
    {
      "cve": "CVE-2025-66478",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "description",
          "text": "A vulnerability tracked as CVE-2025-55182 has been identified in specific React packages, including Next.js versions 15.x and 16.x, necessitating upgrades to patched versions.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-66478 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66478.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6"
          ]
        }
      ],
      "title": "CVE-2025-66478"
    }
  ]
}

WID-SEC-W-2025-2738

Vulnerability from csaf_certbund - Published: 2025-12-03 23:00 - Updated: 2025-12-04 23:00

Summary

Vercel Next.js und React Server Components (React2Shell): Schwachstelle ermöglicht Codeausführung

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Next.js ist ein Framework für React-basierte Web-Anwendungen. React ist eine Open-Source-JavaScript-Bibliothek zur Erstellung von Benutzeroberflächen, insbesondere für Single-Page-Anwendungen.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Vercel Next.js und React ausnutzen, um beliebigen Programmcode auszuführen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2025-55182

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Vercel Next.js <15.4.8 Vercel / Next.js		<15.4.8
Vercel Next.js <15.3.6 Vercel / Next.js		<15.3.6
Vercel Next.js <15.2.6 Vercel / Next.js		<15.2.6
Open Source React <19.2.1 Open Source / React		<19.2.1
Vercel Next.js <15.1.9 Vercel / Next.js		<15.1.9
Open Source React <19.1.2 Open Source / React		<19.1.2
Vercel Next.js <16.0.7 Vercel / Next.js		<16.0.7
Vercel Next.js <15.5.7 Vercel / Next.js		<15.5.7
Vercel Next.js <15.0.5 Vercel / Next.js		<15.0.5
Open Source React <19.0.1 Open Source / React		<19.0.1

CVE-2025-66478

Affected products

Known affected 10 products

Product	Identifier	Version	Remediation
Vercel Next.js <15.4.8 Vercel / Next.js		<15.4.8
Vercel Next.js <15.3.6 Vercel / Next.js		<15.3.6
Vercel Next.js <15.2.6 Vercel / Next.js		<15.2.6
Open Source React <19.2.1 Open Source / React		<19.2.1
Vercel Next.js <15.1.9 Vercel / Next.js		<15.1.9
Open Source React <19.1.2 Open Source / React		<19.1.2
Vercel Next.js <16.0.7 Vercel / Next.js		<16.0.7
Vercel Next.js <15.5.7 Vercel / Next.js		<15.5.7
Vercel Next.js <15.0.5 Vercel / Next.js		<15.0.5
Open Source React <19.0.1 Open Source / React		<19.0.1

References

5 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/advisories/GHSA-9qr9-h5gf-34mp	external
https://github.com/joshterrill/CVE-2025-55182-rea…	external
https://nsfocusglobal.com/react-next-js-remote-co…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Next.js ist ein Framework f\u00fcr React-basierte Web-Anwendungen.\r\nReact ist eine Open-Source-JavaScript-Bibliothek zur Erstellung von Benutzeroberfl\u00e4chen, insbesondere f\u00fcr Single-Page-Anwendungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Vercel Next.js und React ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-2738 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2738.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-2738 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2738"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2025-12-03",
        "url": "https://github.com/advisories/GHSA-9qr9-h5gf-34mp"
      },
      {
        "category": "external",
        "summary": "PoC auf GitHub vom 2025-12-03",
        "url": "https://github.com/joshterrill/CVE-2025-55182-realistic-poc"
      },
      {
        "category": "external",
        "summary": "NSFOCUS Notice vom 2025-12-03",
        "url": "https://nsfocusglobal.com/react-next-js-remote-code-execution-vulnerability-cve-2025-55182-cve-2025-66478-notice/"
      }
    ],
    "source_lang": "en-US",
    "title": "Vercel Next.js und React Server Components (React2Shell): Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
    "tracking": {
      "current_release_date": "2025-12-04T23:00:00.000+00:00",
      "generator": {
        "date": "2025-12-05T06:07:14.393+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2025-2738",
      "initial_release_date": "2025-12-03T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-12-03T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-12-04T23:00:00.000+00:00",
          "number": "2",
          "summary": "Bezeichner React2Shell als Referenz aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c19.0.1",
                "product": {
                  "name": "Open Source React \u003c19.0.1",
                  "product_id": "T049091"
                }
              },
              {
                "category": "product_version",
                "name": "19.0.1",
                "product": {
                  "name": "Open Source React 19.0.1",
                  "product_id": "T049091-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:react:19.0.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c19.1.2",
                "product": {
                  "name": "Open Source React \u003c19.1.2",
                  "product_id": "T049092"
                }
              },
              {
                "category": "product_version",
                "name": "19.1.2",
                "product": {
                  "name": "Open Source React 19.1.2",
                  "product_id": "T049092-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:react:19.1.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c19.2.1",
                "product": {
                  "name": "Open Source React \u003c19.2.1",
                  "product_id": "T049093"
                }
              },
              {
                "category": "product_version",
                "name": "19.2.1",
                "product": {
                  "name": "Open Source React 19.2.1",
                  "product_id": "T049093-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:react:19.2.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "React"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c15.0.5",
                "product": {
                  "name": "Vercel Next.js \u003c15.0.5",
                  "product_id": "T049080"
                }
              },
              {
                "category": "product_version",
                "name": "15.0.5",
                "product": {
                  "name": "Vercel Next.js 15.0.5",
                  "product_id": "T049080-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:15.0.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.1.9",
                "product": {
                  "name": "Vercel Next.js \u003c15.1.9",
                  "product_id": "T049081"
                }
              },
              {
                "category": "product_version",
                "name": "15.1.9",
                "product": {
                  "name": "Vercel Next.js 15.1.9",
                  "product_id": "T049081-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:15.1.9"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.2.6",
                "product": {
                  "name": "Vercel Next.js \u003c15.2.6",
                  "product_id": "T049082"
                }
              },
              {
                "category": "product_version",
                "name": "15.2.6",
                "product": {
                  "name": "Vercel Next.js 15.2.6",
                  "product_id": "T049082-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:15.2.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.3.6",
                "product": {
                  "name": "Vercel Next.js \u003c15.3.6",
                  "product_id": "T049083"
                }
              },
              {
                "category": "product_version",
                "name": "15.3.6",
                "product": {
                  "name": "Vercel Next.js 15.3.6",
                  "product_id": "T049083-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:15.3.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.4.8",
                "product": {
                  "name": "Vercel Next.js \u003c15.4.8",
                  "product_id": "T049084"
                }
              },
              {
                "category": "product_version",
                "name": "15.4.8",
                "product": {
                  "name": "Vercel Next.js 15.4.8",
                  "product_id": "T049084-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:15.4.8"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.5.7",
                "product": {
                  "name": "Vercel Next.js \u003c15.5.7",
                  "product_id": "T049085"
                }
              },
              {
                "category": "product_version",
                "name": "15.5.7",
                "product": {
                  "name": "Vercel Next.js 15.5.7",
                  "product_id": "T049085-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:15.5.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.0.7",
                "product": {
                  "name": "Vercel Next.js \u003c16.0.7",
                  "product_id": "T049086"
                }
              },
              {
                "category": "product_version",
                "name": "16.0.7",
                "product": {
                  "name": "Vercel Next.js 16.0.7",
                  "product_id": "T049086-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:16.0.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Next.js"
          }
        ],
        "category": "vendor",
        "name": "Vercel"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-55182",
      "product_status": {
        "known_affected": [
          "T049084",
          "T049083",
          "T049082",
          "T049093",
          "T049081",
          "T049092",
          "T049086",
          "T049085",
          "T049080",
          "T049091"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-55182"
    },
    {
      "cve": "CVE-2025-66478",
      "product_status": {
        "known_affected": [
          "T049084",
          "T049083",
          "T049082",
          "T049093",
          "T049081",
          "T049092",
          "T049086",
          "T049085",
          "T049080",
          "T049091"
        ]
      },
      "release_date": "2025-12-03T23:00:00.000+00:00",
      "title": "CVE-2025-66478"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-55182 (GCVE-0-2025-55182)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

EUVD KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Csirt Report Successful Exploitation Confidence: 75% Source: enisa-cnw-kev

Details

References

GHSA-FV66-9V8Q-G76R

Impact

Patches

References

NCSC-2025-0380

WID-SEC-W-2025-2738

Tags

Sightings

Nomenclature