cvelistv5 - cve-2025-55182

CVE-2025-55182 (GCVE-0-2025-55182)

Vulnerability from cvelistv5 – Published: 2025-12-03 15:40 – Updated: 2025-12-04 17:32

Summary

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

Deserialization of Untrusted Data (CWE-502)

Assigner

CISCO-SA-REACT-FLIGHT-TYW32DDB

Vulnerability from csaf_cisco - Published: 2025-12-04 16:00 - Updated: 2025-12-04 16:00

Summary

Remote Code Execution Vulnerability in React and Next.js Frameworks: December 2025

Notes

Summary

On December 3, 2025, the React team released a security advisory regarding a vulnerability, CVE-2025-55182, in the React server that could allow an unauthenticated, remote attacker to perform remote code execution on an affected device or system. For a description of this vulnerability, see the public React Security Advisory ["https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"]. Cisco's standard practice is to update integrated third-party software components to later versions as they become available. This advisory will be updated as additional information becomes available.

Affected Products

Cisco is investigating its product line to determine which products and cloud services may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products and services. The Vulnerable Products ["#vp"] section will include Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool ["https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID"] and contain additional platform-specific information, including workarounds (if available) and fixed software releases.

Vulnerable Products

Cisco is investigating its product line to determine which products may be affected by this vulnerability and the impact on each affected product. This section will be updated as information is available.

Products Confirmed Not Vulnerable

Workarounds

This section will be updated as information becomes available.

Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Legal Disclaimer

SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT The Cisco Support and Downloads ["https://www.cisco.com/c/en/us/support/index.html"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid. Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories ["https://www.cisco.com/go/psirt"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"] or their contracted maintenance providers. LEGAL DISCLAIMER DETAILS CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories ["https://www.cisco.com/go/psirt"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] for more information.

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "On December 3, 2025, the React team released a security advisory regarding a vulnerability, CVE-2025-55182, in the React server that could allow an unauthenticated, remote attacker to perform remote code execution on an affected device or system.\r\n\r\nFor a description of this vulnerability, see the public React Security Advisory [\"https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\"].\r\n\r\nCisco\u0027s standard practice is to update integrated third-party software components to later versions as they become available.\r\n\r\nThis advisory will be updated as additional information becomes available.\r\n\r\n",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "Cisco is investigating its product line to determine which products and cloud services may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products and services.\r\n\r\nThe Vulnerable Products [\"#vp\"] section will include Cisco bug IDs for each affected product or service. The bugs are accessible through the Cisco Bug Search Tool [\"https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID\"] and contain additional platform-specific information, including workarounds (if available) and fixed software releases.",
        "title": "Affected Products"
      },
      {
        "category": "general",
        "text": "Cisco is investigating its product line to determine which products may be affected by this vulnerability and the impact on each affected product. This section will be updated as information is available.",
        "title": "Vulnerable Products"
      },
      {
        "category": "general",
        "text": "Cisco is investigating its product line to determine which products may be affected by this vulnerability and the impact on each affected product. This section will be updated as information becomes available.",
        "title": "Products Confirmed Not Vulnerable"
      },
      {
        "category": "general",
        "text": "This section will be updated as information becomes available.",
        "title": "Workarounds"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "legal_disclaimer",
        "text": "SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT\r\n\r\nThe Cisco Support and Downloads [\"https://www.cisco.com/c/en/us/support/index.html\"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.\r\n\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories [\"https://www.cisco.com/go/psirt\"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"] or their contracted maintenance providers.\r\n    LEGAL DISCLAIMER DETAILS\r\n\r\nCISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nCopies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories [\"https://www.cisco.com/go/psirt\"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] for more information.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@cisco.com",
      "issuing_authority": "Cisco PSIRT",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Remote Code Execution Vulnerability in React and Next.js Frameworks: December 2025",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-react-flight-TYw32Ddb"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "public React Security Advisory",
        "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
      },
      {
        "category": "external",
        "summary": "Cisco Bug Search Tool",
        "url": "https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "Cisco Support and Downloads",
        "url": "https://www.cisco.com/c/en/us/support/index.html"
      },
      {
        "category": "external",
        "summary": "Cisco Technical Assistance Center (TAC)",
        "url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
      },
      {
        "category": "external",
        "summary": "considering software upgrades",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
      },
      {
        "category": "external",
        "summary": "the advisories",
        "url": "https://www.cisco.com/go/psirt"
      }
    ],
    "title": "Remote Code Execution Vulnerability in React and Next.js Frameworks: December 2025",
    "tracking": {
      "current_release_date": "2025-12-04T16:00:00+00:00",
      "generator": {
        "date": "2025-12-04T22:48:16+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-react-flight-TYw32Ddb",
      "initial_release_date": "2025-12-04T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2025-12-04T22:33:16+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "interim",
      "version": "1.0.0"
    }
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-55182",
      "notes": [
        {
          "category": "general",
          "text": "No additional information for this vulneraiblity is currently avaialbe.",
          "title": "No Notes"
        }
      ],
      "release_date": "2025-12-04T16:00:00+00:00",
      "title": "Remote Code Execution in React and Next.js Frameworks"
    }
  ]
}

GHSA-FV66-9V8Q-G76R

Vulnerability from github – Published: 2025-12-03 19:07 – Updated: 2025-12-04 21:03

Summary

React Server Components are Vulnerable to RCE

Details

Impact

There is an unauthenticated remote code execution vulnerability in React Server Components.

We recommend upgrading immediately.

The vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of: * react-server-dom-webpack * react-server-dom-parcel * react-server-dom-turbopack

Patches

A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

References

See the blog post for more information and upgrade instructions.

Severity ?

10.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-webpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0"
            },
            {
              "fixed": "19.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-webpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.1.0"
            },
            {
              "fixed": "19.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-webpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.2.0"
            },
            {
              "fixed": "19.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-turbopack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-turbopack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.1.0"
            },
            {
              "fixed": "19.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-turbopack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.2.0"
            },
            {
              "fixed": "19.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-parcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.0.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-parcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.1.0"
            },
            {
              "fixed": "19.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-server-dom-parcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.2.0"
            },
            {
              "fixed": "19.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55182"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-03T19:07:39Z",
    "nvd_published_at": "2025-12-03T16:15:56Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app\u2019s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.",
  "id": "GHSA-fv66-9v8q-g76r",
  "modified": "2025-12-04T21:03:39Z",
  "published": "2025-12-03T19:07:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/pull/35277"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ejpir/CVE-2025-55182-poc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/facebook/react"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/releases/tag/v19.0.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/releases/tag/v19.1.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/facebook/react/releases/tag/v19.2.1"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=46136026"
    },
    {
      "type": "WEB",
      "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2025-55182"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "React Server Components are Vulnerable to RCE"
}

NCSC-2025-0380

Vulnerability from csaf_ncscnl - Published: 2025-12-03 20:11 - Updated: 2025-12-03 20:11

Summary

Kwetsbaarheden verholpen in React Server Components

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

React heeft kwetsbaarheden verholpen in bepaalde versies van React Server Components (specifiek voor versies 19.0.0, 19.1.0, 19.1.1 en 19.2.0).

Interpretaties

Een ongeauthenticeerde aanvaller kan een malafide HTTP-verzoek sturen naar elk Server Function-endpoint dat, wanneer het door React wordt verwerkt, kan leiden tot remote code execution op de server. Echter, zelf als een Server Function-endpoint niet is geïmplementeerd, kan exploitatie nog steeds mogelijk zijn via React Server Components. Door deze fout kunnen aanvallers op afstand willekeurige code uitvoeren, wat de integriteit van de getroffen applicaties ernstig in gevaar brengt. De kwetsbaarheid bevindt zich in de React versies 19.0, 19.1.0, 19.1.1 en 19.2.0 van: - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack Als bovengenoemde pakketten worden gebruikt, upgrade dan onmiddellijk. Deze kwetsbaarheid is verholpen in de versies 19.0.1, 19.1.2 en 19.2.1. Als de React-code van uw applicatie geen server gebruikt, is uw applicatie niet kwetsbaar voor deze kwetsbaarheid. Eveneens, als uw applicatie geen framework, bundler of bundler-plugin gebruikt die React Server Components ondersteunt, is uw applicatie niet getroffen. De volgende React-frameworks en bundlers zijn getroffen: - Next - React Router - Waku - @parcel/rsc - @vitejs/plugin-rsc - rwsdk De kwetsbaarheid treft ook Next.js met App Router, en heeft het kenmerk CVE-2025-66478. De kwetsbaarheid bevindt zich in de Next.js-versies 14.3.0-canary, 15.x en 16.x en is verholpen in de volgende gepatchte versies: 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 en 16.0.7.

Oplossingen

React heeft beveiligingsupdates uitgebracht om de kwetsbaarheid te verhelpen. Het NCSC adviseert om deze updates zo snel mogelijk te installeren. Zie de instructies van React voor meer informatie.

Kans

high

Schade

high

CWE-502

Deserialization of Untrusted Data

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "React heeft kwetsbaarheden verholpen in bepaalde versies van React Server Components (specifiek voor versies 19.0.0, 19.1.0, 19.1.1 en 19.2.0).",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een ongeauthenticeerde aanvaller kan een malafide HTTP-verzoek sturen naar elk Server Function-endpoint dat, wanneer het door React wordt verwerkt, kan leiden tot remote code execution op de server. Echter, zelf als een Server Function-endpoint niet is ge\u00efmplementeerd, kan exploitatie nog steeds mogelijk zijn via React Server Components. Door deze fout kunnen aanvallers op afstand willekeurige code uitvoeren, wat de integriteit van de getroffen applicaties ernstig in gevaar brengt.\n\nDe kwetsbaarheid bevindt zich in de React versies 19.0, 19.1.0, 19.1.1 en 19.2.0 van:\n\n- react-server-dom-webpack\n- react-server-dom-parcel\n- react-server-dom-turbopack\n\nAls bovengenoemde pakketten worden gebruikt, upgrade dan onmiddellijk. Deze kwetsbaarheid is verholpen in de versies 19.0.1, 19.1.2 en 19.2.1. Als de React-code van uw applicatie geen server gebruikt, is uw applicatie niet kwetsbaar voor deze kwetsbaarheid. Eveneens, als uw applicatie geen framework, bundler of bundler-plugin gebruikt die React Server Components ondersteunt, is uw applicatie niet getroffen. \n\nDe volgende React-frameworks en bundlers zijn getroffen: \n\n- Next\n- React Router\n- Waku\n- @parcel/rsc\n- @vitejs/plugin-rsc\n- rwsdk\n\nDe kwetsbaarheid treft ook Next.js met App Router, en heeft het kenmerk CVE-2025-66478. De kwetsbaarheid bevindt zich in de Next.js-versies 14.3.0-canary, 15.x en 16.x en is verholpen in de volgende gepatchte versies: 14.3.0-canary.88, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 en 16.0.7.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "React heeft beveiligingsupdates uitgebracht om de kwetsbaarheid te verhelpen. Het NCSC adviseert om deze updates zo snel mogelijk te installeren. Zie de instructies van React voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Deserialization of Untrusted Data",
        "title": "CWE-502"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66478"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
      },
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182"
      }
    ],
    "title": "Kwetsbaarheden verholpen in React Server Components",
    "tracking": {
      "current_release_date": "2025-12-03T20:11:57.728117Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2025-0380",
      "initial_release_date": "2025-12-03T20:11:57.728117Z",
      "revision_history": [
        {
          "date": "2025-12-03T20:11:57.728117Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-parcel"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-2"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-turbopack"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-3"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-webpack"
          }
        ],
        "category": "vendor",
        "name": "Meta"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-4"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-parcel"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-5"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-turbopack"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-6"
                }
              }
            ],
            "category": "product_name",
            "name": "react-server-dom-webpack"
          }
        ],
        "category": "vendor",
        "name": "Meta Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-55182",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "description",
          "text": "A critical unauthenticated remote code execution vulnerability exists in specific versions of React Server Components due to unsafe deserialization, affecting versions 19.0.0 to 19.2.0.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-55182 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-55182.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6"
          ]
        }
      ],
      "title": "CVE-2025-55182"
    },
    {
      "cve": "CVE-2025-66478",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "description",
          "text": "A vulnerability tracked as CVE-2025-55182 has been identified in specific React packages, including Next.js versions 15.x and 16.x, necessitating upgrades to patched versions.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1",
          "CSAFPID-2",
          "CSAFPID-3",
          "CSAFPID-4",
          "CSAFPID-5",
          "CSAFPID-6"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-66478 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-66478.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1",
            "CSAFPID-2",
            "CSAFPID-3",
            "CSAFPID-4",
            "CSAFPID-5",
            "CSAFPID-6"
          ]
        }
      ],
      "title": "CVE-2025-66478"
    }
  ]
}

FKIE_CVE-2025-55182

Vulnerability from fkie_nvd - Published: 2025-12-03 16:15 - Updated: 2025-12-04 18:15

Severity ?

10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	cve-assign@fb.com	https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
	cve-assign@fb.com	https://www.facebook.com/security/advisories/cve-2025-55182
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/12/03/4
	af854a3a-2127-422b-91ae-364da2661108	https://news.ycombinator.com/item?id=46136026

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
    }
  ],
  "id": "CVE-2025-55182",
  "lastModified": "2025-12-04T18:15:50.790",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "cve-assign@fb.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-03T16:15:56.463",
  "references": [
    {
      "source": "cve-assign@fb.com",
      "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
    },
    {
      "source": "cve-assign@fb.com",
      "url": "https://www.facebook.com/security/advisories/cve-2025-55182"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://news.ycombinator.com/item?id=46136026"
    }
  ],
  "sourceIdentifier": "cve-assign@fb.com",
  "vulnStatus": "Awaiting Analysis"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-55182 (GCVE-0-2025-55182)

CISCO-SA-REACT-FLIGHT-TYW32DDB

GHSA-FV66-9V8Q-G76R

Impact

Patches

References

NCSC-2025-0380

FKIE_CVE-2025-55182

Tags

Sightings

Nomenclature