CVE-2025-55182

10.0 CRITICAL CISA KEV

Remote Code Execution Deserialization

📋 TL;DR

A critical pre-authentication remote code execution vulnerability exists in React Server Components where unsafe deserialization of HTTP payloads allows attackers to execute arbitrary code without authentication. This affects all applications using vulnerable React Server Components versions 19.0.0 through 19.2.0. Attackers can compromise the entire server infrastructure through this vulnerability.

💻 Affected Systems

Products:

react-server-dom-parcel
react-server-dom-turbopack
react-server-dom-webpack

Versions: 19.0.0, 19.1.0, 19.1.1, 19.2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects React Server Components implementations using Server Function endpoints. Client-side React applications are not affected.

📦 What is this software?

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

React by Facebook

View all CVEs affecting React →

React by Facebook

View all CVEs affecting React →

React by Facebook

View all CVEs affecting React →

React by Facebook

View all CVEs affecting React →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover leading to data exfiltration, ransomware deployment, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Attackers execute arbitrary code to steal sensitive data, deploy cryptocurrency miners, or establish command and control channels for further attacks.

🟢

If Mitigated

With proper network segmentation and strict input validation, impact may be limited to the affected application server only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple threat groups including China Nexus have been observed exploiting this vulnerability in the wild. Exploitation requires no authentication and minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.2.1

Vendor Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Restart Required: Yes

Instructions:

1. Update React Server Components to version 19.2.1 or later. 2. Update package.json to specify 'react-server-dom-*' packages >=19.2.1. 3. Run npm update or yarn upgrade. 4. Restart all application servers and deployment pipelines.

🔧 Temporary Workarounds

Disable Server Function Endpoints

all

Temporarily disable vulnerable Server Function endpoints until patching is complete

Modify server configuration to disable RSC endpoints
Remove or comment out server function route handlers

Input Validation Middleware

all

Implement strict input validation and sanitization for all HTTP requests to RSC endpoints

Add request validation middleware before deserialization
Implement payload size limits and content-type validation

🧯 If You Can't Patch

Implement strict network segmentation to isolate React Server Components from critical infrastructure
Deploy web application firewall (WAF) rules to block suspicious serialized payload patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json for react-server-dom-* packages with versions 19.0.0, 19.1.0, 19.1.1, or 19.2.0

Check Version:

npm list react-server-dom-parcel react-server-dom-turbopack react-server-dom-webpack

Verify Fix Applied:

Verify all react-server-dom-* packages are at version 19.2.1 or higher in package-lock.json or yarn.lock

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to /rsc or server function endpoints
Large serialized payloads in request logs
Unexpected process spawns or system commands from Node.js processes

Network Indicators:

Unusual outbound connections from application servers
Traffic patterns matching known exploit payloads
Increased error rates from deserialization failures

SIEM Query:

source="application.logs" AND ("react-server-dom" OR "/rsc") AND (payload_size>100000 OR status=500)

📊 Metadata

CVE ID: CVE-2025-55182

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 60.9% exploit probability (98.3th percentile)

CISA KEV: Actively Exploited added Dec 5, 2025

Published: December 3, 2025

Last Updated: December 10, 2025

🔗 References

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Patch,Vendor Advisory
https://www.facebook.com/security/advisories/cve-2025-55182 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/03/4 Mailing List,Patch,Third Party Advisory
https://news.ycombinator.com/item?id=46136026 Issue Tracking
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 US Government Resource