Home > Vulnerability Database > CVE-2025-55182

Mend.io Vulnerability Database

CVE-2025-55182

Good to know:

Date: December 3, 2025

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Severity Score

10.0

Related Resources (16)

Url: https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700

Url: https://www.facebook.com/security/advisories/cve-2025-55182

Url: https://github.com/facebook/react/releases/tag/v19.1.2

Url: https://github.com/facebook/react/releases/tag/v19.2.1

Url: https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

Url: https://github.com/facebook/react/releases/tag/v19.0.1

Url: https://github.com/ejpir/CVE-2025-55182-poc

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-55182

Url: https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

Url: http://www.openwall.com/lists/oss-security/2025/12/03/4

Url: https://github.com/facebook/react/pull/35277

Url: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Url: https://news.ycombinator.com/item?id=46136026

Url: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182

Url: https://github.com/facebook/react

Url: https://www.mend.io/vulnerability-database/CVE-2025-55182

Severity Score

10.0

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

Upgrade Version

Upgrade to version react-server-dom-parcel - 19.0.1;react-server-dom-parcel - 19.1.2;react-server-dom-parcel - 19.2.1;react-server-dom-parcel - 19.2.1;react-server-dom-turbopack - 19.0.1;react-server-dom-turbopack - 19.1.2;react-server-dom-turbopack - 19.2.1;react-server-dom-turbopack - 19.2.1;react-server-dom-turbopack - 19.0.1;react-server-dom-webpack - 19.0.1;react-server-dom-webpack - 19.1.2;react-server-dom-webpack - 19.2.1;react-server-dom-webpack - 19.2.1;react-server-dom-webpack - 19.0.1;next - 16.0.7;next - 15.5.7;next - 15.4.8;next - 15.3.6;next - 15.2.6;next - 15.1.9;next - 15.0.5;https://github.com/facebook/react.git - v19.2.1;https://github.com/facebook/react.git - v19.1.2;https://github.com/facebook/react.git - v19.0.1

Learn More

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-55182

Good to know:

Date: December 3, 2025

Severity Score

Related Resources (16)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?