CVE-2025-55182
Meta React Server Components Remote Code Execution Vulnerability - [Actively Exploited]
Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
INFO
Published Date :
Dec. 3, 2025, 4:15 p.m.
Last Modified :
Dec. 6, 2025, 2 a.m.
Remotely Exploit :
No
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 4fc57720-52fe-4431-a0fb-3d2c8747b827 | ||||
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | MITRE-CVE |
Solution
- Update React Server Components to a secure version.
- Remove vulnerable packages like react-server-dom-parcel.
- Apply security patches for affected packages.
- Validate server function endpoint security.
Public PoC/Exploit Available at Github
CVE-2025-55182 has a 600 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-55182.
| URL | Resource |
|---|---|
| https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components | Patch Vendor Advisory |
| https://www.facebook.com/security/advisories/cve-2025-55182 | Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2025/12/03/4 | Mailing List Patch Third Party Advisory |
| https://news.ycombinator.com/item?id=46136026 | Issue Tracking |
| https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ | Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-55182 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-55182
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
A powerful Go-based tool for automating bug bounty report emails. This tool processes markdown files, extracts target domains, finds email addresses, and sends beautifully formatted HTML emails to recipients.
Go
This repository serves as a centralized collection of custom exploits, proof-of-concept (PoC) code, and offensive security tools I have developed. It is maintained for ethical hacking demonstrations.
cybersecurity exploit metasploit metasploit-framework redteam ruby
Ruby
None
Shell
None
JavaScript CSS
None
JavaScript
cve-2025-55182
Python
None
Dockerfile JavaScript
None
Python CSS TypeScript JavaScript
This project provides a fully functional demonstration of CVE-2025-55182 (React2Shell) - a critical Remote Code Execution vulnerability in React Server Components and Next.js.
TypeScript CSS JavaScript Go
None
JavaScript TypeScript CSS
None
Python Dockerfile
None
TypeScript JavaScript
None
Dockerfile Python HTML JavaScript CSS
Next.Js React Server Components (RSC) Vulnerabilities
code-disclosure cve-2025-55182 cve-2025-55183 cve-2025-55184 dos nextjs rce react rsc exploit poc react-server-components
Python Dockerfile TypeScript
None
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-55182 vulnerability anywhere in the article.
-
CybersecurityNews
ZnDoor Malware Exploiting React2Shell Vulnerability to Compromise Network Devices
Since December 2025, a concerning trend has emerged across Japanese organizations as attackers exploit a critical vulnerability in React/Next.js applications. The vulnerability, tracked as CVE-2025-55 ... Read more
-
The Register
China, Iran are having a field day with React2Shell, Google warns
At least five more Chinese spy crews, Iran-linked goons, and financially motivated criminals are now attacking the React2Shell, a maximum-severity flaw in the widely used React JavaScript library, acc ... Read more
-
hackread.com
GitHub Scanner for React2Shell (CVE-2025-55182) Turns Out to Be Malware
A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, w ... Read more
-
BleepingComputer
Google links more Chinese hacking groups to React2Shell attacks
Over the weekend, Google's threat intelligence team linked five more Chinese hacking groups to attacks exploiting the maximum-severity "React2Shell" remote code execution vulnerability. Tracked as C ... Read more
-
hackread.com
Critical React2Shell Vulnerability (CVE-2025-55182) Analysis: Surge in Attacks Targeting RSC-Enabled Services Worldwide
Torrance, United States / California, December 12th, 2025, CyberNewsWire In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React Server Components (RSC) that enables remote code execu ... Read more
-
CybersecurityNews
Cybersecurity News Weekly Newsletter – Windows, Chrome, and Apple 0-days, Kali Linux 2025.4, and MITRE Top 25
As 2025 nears its close, the cybersecurity landscape shows no signs of slowing down. This week’s developments highlight how rapidly the threat environment continues to evolve with major zero-day vulne ... Read more
-
CybersecurityNews
Google Warns Multiple Hacker Groups Are Exploiting React2Shell to Spread Malware
Google Threat Intelligence Group (GTIG) has issued a warning regarding the widespread exploitation of a critical security flaw in React Server Components. Known as React2Shell (CVE-2025-55182), this v ... Read more
-
Daily CyberSecurity
React2Shell: Max-Score RCE (CVSS 10.0) Triggers Widespread Exploitation by Espionage Groups & Miners
The cybersecurity landscape was jolted this month by the disclosure of a catastrophic vulnerability in one of the world’s most popular web development frameworks. Dubbed “React2Shell,” the flaw has tr ... Read more
-
The Register
New React vulns leak secrets, invite DoS attacks
If you're running React Server Components, you just can't catch a break. In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Se ... Read more
-
CybersecurityNews
Critical React2Shell Vulnerability (CVE-2025-55182) Analysis: Surge in Attacks Targeting RSC-Enabled Services Worldwide
Torrance, United States / California, December 12th, 2025, CyberNewsWire In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React Server Components (RSC) that enables remote code execu ... Read more
-
Daily CyberSecurity
Critical React2Shell Vulnerability (CVE-2025-55182) Analysis: Surge in Attacks Targeting RSC-Enabled Services Worldwide
Torrance, United States / California, December 12th, 2025, CyberNewsWire In December 2025, CVE-2025-55182 (React2Shell), a vulnerability in React Server Components (RSC) that enables remote code execu ... Read more
-
Google Cloud
Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
Written by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen Introduction On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability ... Read more
-
CybersecurityNews
Top 20 Most Exploited Vulnerabilities of 2025: A Comprehensive Analysis
The cybersecurity landscape of 2025 has been marked by an unprecedented surge in vulnerability exploitation, with threat actors leveraging critical flaws across enterprise software, cloud infrastructu ... Read more
-
security.nl
Nieuwe React-kwetsbaarheden leiden tot denial of service en broncode-lek
Onderzoekers hebben nieuwe kwetsbaarheden in React Server Components ontdekt waardoor aanvallers een denial of service kunnen veroorzaken of broncode stelen. Er zijn updates beschikbaar gesteld en Rea ... Read more
-
The Register
Half of exposed React servers remain unpatched amid active exploitation
Half of the internet-facing systems vulnerable to a fast-moving React remote code execution flaw remain unpatched, even as exploitation has exploded into more than a dozen active attack clusters rangi ... Read more
-
The Hacker News
New React RSC Vulnerabilities Enable DoS and Source Code Exposure
Dec 12, 2025Ravie LakshmananSoftware Security / Vulnerability The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could res ... Read more
-
Daily CyberSecurity
React Patches Two New Flaws Risking Server-Crashing DoS and Source Code Disclosure
The security saga surrounding React Server Components continues this week. Just days after the React team patched a critical remote code execution (RCE) flaw, security researchers digging into those v ... Read more
-
The Cloudflare Blog
React2Shell and related RSC vulnerabilities threat brief: early exploitation activity and threat actor techniques
2025-12-117 min readOn December 3, 2025, immediately following the public disclosure of the critical, maximum-severity React2Shell vulnerability (CVE-2025-55182), the Cloudforce One Threat Intelligenc ... Read more
-
The Hacker News
ThreatsDay Bulletin: Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit — and 20 More Stories
This week's cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and gov ... Read more
-
Kaspersky
It didn’t take long: CVE-2025-55182 is now under active exploitation
On December 4, 2025, researchers published details on the critical vulnerability CVE-2025-55182, which received a CVSS score of 10.0. It has been unofficially dubbed React4Shell, as it affects React S ... Read more
The following table lists the changes that have been made to the
CVE-2025-55182 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Dec. 06, 2025
Action Type Old Value New Value Added Date Added 2025-12-05 Added Due Date 2025-12-26 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Meta React Server Components Remote Code Execution Vulnerability -
Initial Analysis by [email protected]
Dec. 05, 2025
Action Type Old Value New Value Added CWE CWE-502 Added CPE Configuration OR *cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:* *cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:* Added CPE Configuration OR *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.0.0 up to (excluding) 15.0.5 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.1.0 up to (excluding) 15.1.9 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.2.0 up to (excluding) 15.2.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.3.0 up to (excluding) 15.3.6 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.4.0 up to (excluding) 15.4.8 *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 15.5.0 up to (excluding) 15.5.7 *cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:* versions from (including) 16.0.0 up to (excluding) 16.0.7 *cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:* *cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:* Added Reference Type Facebook, Inc.: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Types: Patch, Vendor Advisory Added Reference Type Facebook, Inc.: https://www.facebook.com/security/advisories/cve-2025-55182 Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 Types: US Government Resource Added Reference Type CISA-ADP: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Types: Third Party Advisory Added Reference Type CVE: https://news.ycombinator.com/item?id=46136026 Types: Issue Tracking Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2025/12/03/4 Types: Mailing List, Patch, Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 05, 2025
Action Type Old Value New Value Added Reference https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 04, 2025
Action Type Old Value New Value Removed Reference https://github.com/ejpir/CVE-2025-55182-poc -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 04, 2025
Action Type Old Value New Value Added Reference https://github.com/ejpir/CVE-2025-55182-poc Added Reference https://news.ycombinator.com/item?id=46136026 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Dec. 03, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/12/03/4 -
New CVE Received by [email protected]
Dec. 03, 2025
Action Type Old Value New Value Added Description A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Added Reference https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Added Reference https://www.facebook.com/security/advisories/cve-2025-55182