CVE-2025-55182
CRITICAL severity · CVSS 10 · Insecure deserialization · actively exploited (CISA KEV)
10CVSS CRITICAL exploited ransomware
Actively exploited in the wild (CISA Known Exploited Vulnerabilities).
Known use in ransomware campaigns. Added to KEV 2025-12-05. US federal agencies must patch by 2025-12-12.
Summary
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)100%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Recommendation
This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.
Official patch: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ↗
Additional information
- NVD record
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-componentsPatch
- http://www.openwall.com/lists/oss-security/2025/12/03/4Patch
- https://www.facebook.com/security/advisories/cve-2025-55182Advisory
- https://news.ycombinator.com/item?id=46136026
- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182