CVE-2025-55182

Dec. 10, 2025, 2 a.m.

10.0
Critical

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Product(s) Impacted

Vendor Product Versions
Facebook
  • React
  • 19.0.0, 19.1.0, 19.1.1, 19.2.0
Vercel
  • Next.js
  • *, 14.3.0, 15.6.0, 16.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a facebook react 19.0.0 / / / / / / /
a facebook react 19.1.0 / / / / / / /
a facebook react 19.1.1 / / / / / / /
a facebook react 19.2.0 / / / / / / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js 14.3.0 canary77 / / / node.js / /
a vercel next.js 14.3.0 canary78 / / / node.js / /
a vercel next.js 14.3.0 canary79 / / / node.js / /
a vercel next.js 14.3.0 canary80 / / / node.js / /
a vercel next.js 14.3.0 canary81 / / / node.js / /
a vercel next.js 14.3.0 canary82 / / / node.js / /
a vercel next.js 14.3.0 canary83 / / / node.js / /
a vercel next.js 14.3.0 canary84 / / / node.js / /
a vercel next.js 14.3.0 canary85 / / / node.js / /
a vercel next.js 14.3.0 canary86 / / / node.js / /
a vercel next.js 14.3.0 canary87 / / / node.js / /
a vercel next.js 15.6.0 - / / / node.js / /
a vercel next.js 15.6.0 canary0 / / / node.js / /
a vercel next.js 15.6.0 canary1 / / / node.js / /
a vercel next.js 15.6.0 canary10 / / / node.js / /
a vercel next.js 15.6.0 canary11 / / / node.js / /
a vercel next.js 15.6.0 canary12 / / / node.js / /
a vercel next.js 15.6.0 canary13 / / / node.js / /
a vercel next.js 15.6.0 canary14 / / / node.js / /
a vercel next.js 15.6.0 canary15 / / / node.js / /
a vercel next.js 15.6.0 canary16 / / / node.js / /
a vercel next.js 15.6.0 canary17 / / / node.js / /
a vercel next.js 15.6.0 canary18 / / / node.js / /
a vercel next.js 15.6.0 canary19 / / / node.js / /
a vercel next.js 15.6.0 canary2 / / / node.js / /
a vercel next.js 15.6.0 canary20 / / / node.js / /
a vercel next.js 15.6.0 canary21 / / / node.js / /
a vercel next.js 15.6.0 canary22 / / / node.js / /
a vercel next.js 15.6.0 canary23 / / / node.js / /
a vercel next.js 15.6.0 canary24 / / / node.js / /
a vercel next.js 15.6.0 canary25 / / / node.js / /
a vercel next.js 15.6.0 canary26 / / / node.js / /
a vercel next.js 15.6.0 canary27 / / / node.js / /
a vercel next.js 15.6.0 canary28 / / / node.js / /
a vercel next.js 15.6.0 canary29 / / / node.js / /
a vercel next.js 15.6.0 canary3 / / / node.js / /
a vercel next.js 15.6.0 canary30 / / / node.js / /
a vercel next.js 15.6.0 canary31 / / / node.js / /
a vercel next.js 15.6.0 canary32 / / / node.js / /
a vercel next.js 15.6.0 canary33 / / / node.js / /
a vercel next.js 15.6.0 canary34 / / / node.js / /
a vercel next.js 15.6.0 canary35 / / / node.js / /
a vercel next.js 15.6.0 canary36 / / / node.js / /
a vercel next.js 15.6.0 canary37 / / / node.js / /
a vercel next.js 15.6.0 canary38 / / / node.js / /
a vercel next.js 15.6.0 canary39 / / / node.js / /
a vercel next.js 15.6.0 canary4 / / / node.js / /
a vercel next.js 15.6.0 canary40 / / / node.js / /
a vercel next.js 15.6.0 canary41 / / / node.js / /
a vercel next.js 15.6.0 canary42 / / / node.js / /
a vercel next.js 15.6.0 canary43 / / / node.js / /
a vercel next.js 15.6.0 canary44 / / / node.js / /
a vercel next.js 15.6.0 canary45 / / / node.js / /
a vercel next.js 15.6.0 canary46 / / / node.js / /
a vercel next.js 15.6.0 canary47 / / / node.js / /
a vercel next.js 15.6.0 canary48 / / / node.js / /
a vercel next.js 15.6.0 canary49 / / / node.js / /
a vercel next.js 15.6.0 canary5 / / / node.js / /
a vercel next.js 15.6.0 canary50 / / / node.js / /
a vercel next.js 15.6.0 canary51 / / / node.js / /
a vercel next.js 15.6.0 canary52 / / / node.js / /
a vercel next.js 15.6.0 canary53 / / / node.js / /
a vercel next.js 15.6.0 canary54 / / / node.js / /
a vercel next.js 15.6.0 canary55 / / / node.js / /
a vercel next.js 15.6.0 canary56 / / / node.js / /
a vercel next.js 15.6.0 canary57 / / / node.js / /
a vercel next.js 15.6.0 canary6 / / / node.js / /
a vercel next.js 15.6.0 canary7 / / / node.js / /
a vercel next.js 15.6.0 canary8 / / / node.js / /
a vercel next.js 15.6.0 canary9 / / / node.js / /
a vercel next.js 16.0.0 - / / / node.js / /

References

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://www.facebook.com/security/advisories/cve-2025-55182
http://www.openwall.com/lists/oss-security/2025/12/03/4
https://news.ycombinator.com/item?id=46136026
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182

Tags

CWE-502
cve-assign@fb.com
2025-12-03
CVE-2025-55182

CVSS Score

10.0 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: Dec. 3, 2025, 4:15 p.m.
Last Modified: Dec. 10, 2025, 2 a.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

cve-assign@fb.com

Relations

Here is the list of observables linked to the vulnerability CVE-2025-55182 using threat intelligence.

  • Lazarus Group, Kimsuky
  • Earth Lamia, Jackpot Panda
  • China-nexus
  • WebBrowserPassView
  • RondoDox
  • Kaiji
  • ANGRYREBEL.LINUX
  • Sliver
  • HISONIC
  • Mirai
  • BADCALL - S0245
  • EtherRAT
  • PeerBlight
  • HttpTroy
  • BLINDINGCAN - S0520
  • ZinFoq
  • ShadowPad - S0596
  • Gafgyt
  • CowTunnel
  • Quasar RAT
  • SNOWLIGHT
  • VShell
  • GobRAT
  • XMRig
  • MailPassView
  • MINOCAT
  • ShadowPad
  • Supershell
  • COMPOOD
  • React Server Components
  • React Server Components

Linked Attack Reports

China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)

Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. This critical vulnerability in React Server Compone…
exploit
china-nexus
CVE-2025-1338
next.js
earth lamia
CVE-2025-55182
2025-12-05
jackpot panda
state sponsored
react2shell
react server
app router
Published: December 5, 2025
Linked vulnerabilities : CVE-2025-1338 (CVSS 7.3), CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 4

Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)

A critical vulnerability in Microsoft's Windows Server Update Services (WSUS) allows unauthenticated remote code execution with system privileges. Initially patched on October 14, 2025, the flaw required an emergency update on October 23 due to incomplete mitigation. Active exploitation was observe…
cisa
rce
patch management
CVE-2025-59287
2025-12-07
active exploitation
kev catalog
windows server
wsus
Published: December 7, 2025
Linked vulnerabilities : CVE-2024-36401, CVE-2025-32433 (CVSS 10.0), CVE-2025-52905 (CVSS 7.0), CVE-2025-52906 (CVSS 9.3), CVE-2025-52907 (CVSS 7.3), CVE-2025-59287 (CVSS 9.8), CVE-2025-53868 (CVSS 8.5), CVE-2025-61955 (CVSS 8.5), CVE-2025-57780 (CVSS 8.5), CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-21042
Downloadable IOCs: 1

Critical React2Shell Vulnerability Under Active Exploitation by Chinese Threat Actors

A critical vulnerability dubbed 'React2Shell' (CVE-2025-55182) in React Server Components is being actively exploited by Chinese threat actors. The flaw affects multiple versions and packages, allowing arbitrary code execution through crafted HTTP requests. Approximately 39% of scanned cloud enviro…
gobrat
chinese threat actors
arbitrary code execution
CVE-2025-55182
react2shell
2025-12-08
active exploitation
react server components
Published: December 8, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 2

React2Shell Deep Dive: CVE-2025-55182 Exploit Mechanics

The critical Remote Code Execution vulnerability CVE-2025-55182, dubbed 'React2Shell', affects React Server Components (RSC) and extends beyond Next.js. Attackers are exploiting it for cloud-native initial access, credential harvesting, cryptomining, and deploying sophisticated backdoors. The vulne…
exploit
rce
next.js
deserialization
CVE-2025-55182
react2shell
2025-12-09
react
rsc
Published: December 9, 2025
Linked vulnerabilities : CVE-2021-4034, CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 38

PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182

A critical vulnerability in React Server Components (CVE-2025-55182) is being exploited across various organizations. Attackers are deploying cryptominer malware, a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq. Peer…
post-exploitation
linux backdoor
CVE-2025-55182
react2shell
2025-12-10
bittorrent dht
cowtunnel
kaiji
peerblight
zinfoq
Published: December 10, 2025
Linked vulnerabilities : CVE-2025-30406, CVE-2025-55182 (CVSS 10.0), CVE-2025-66478
Downloadable IOCs: 36

Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited

A zero-day vulnerability in Gogs, a popular self-hosted Git service, has been discovered and is being actively exploited. The flaw, identified as CVE-2025-8110, is a symlink bypass of a previously patched RCE vulnerability. It allows authenticated users to overwrite files outside the repository, le…
vulnerability
zero-day
cloud security
supershell
rce
CVE-2024-55947
2025-12-10
CVE-2025-8110
git service
gogs
symlink bypass
Published: December 10, 2025
Linked vulnerabilities : CVE-2024-54148 (CVSS 9.8), CVE-2024-55947, CVE-2023-46747, CVE-2024-56731 (CVSS 10.0), CVE-2025-55182 (CVSS 10.0), CVE-2025-8110 (CVSS 8.7)
Downloadable IOCs: 0

It didn’t take long: CVE-2025-55182 is now under active exploitation

A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a su…
xmrig
vulnerability
botnet
mirai
exploitation
gafgyt
honeypot
rondodox
CVE-2025-55182
2025-12-11
react server components
crypto miner
react4shell
Published: December 11, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 46

React2Shell flaw (CVE-2025-55182) exploited for remote code execution

A critical vulnerability called 'React2Shell' (CVE-2025-55182) affecting React Server Components has been widely exploited. The flaw allows remote code execution through unsafe handling of incoming data during deserialization. Over 165,000 vulnerable IP addresses have been identified. Post-exploita…
persistence
remote code execution
obfuscated javascript
vshell
snowlight
deserialization
CVE-2025-55182
react2shell
2025-12-12
etherrat
linux loaders
state-sponsored attacks
Published: December 12, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 3

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

A critical remote code execution vulnerability in React Server Components, CVE-2025-55182, has been widely exploited by various threat actors. China-nexus espionage groups and financially motivated actors have been observed leveraging this vulnerability to deploy malware such as MINOCAT tunneler, S…
remote code execution
CVE-2025-55182
react2shell
2025-12-13
Published: December 13, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-55184 (CVSS 7.5), CVE-2025-55183 (CVSS 5.3), CVE-2025-67779 (CVSS 7.5)
Downloadable IOCs: 7

Malicious SSO Logins Observed Following Disclosure of CVE-2025-59718 and CVE-2025-59719

On December 12, 2025, intrusions involving malicious SSO logins on FortiGate appliances were observed. These attacks followed Fortinet's disclosure of two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9. The vulnerabilities allow unauthenticated bypa…
fortigate
authentication bypass
firewall
CVE-2025-59718
CVE-2025-59719
2025-12-15
forticloud
Published: December 15, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2025-59718 (CVSS 9.8), CVE-2025-59719 (CVSS 9.8)
Downloadable IOCs: 4

Defending against the CVE-2025-55182 (React2Shell) vulnerability in React Server Components

CVE-2025-55182, also known as React2Shell, is a critical pre-authentication remote code execution vulnerability affecting React Server Components and related frameworks. With a CVSS score of 10.0, it allows attackers to execute arbitrary code on vulnerable servers through a single malicious HTTP re…
vulnerability
remote code execution
vshell
snowlight
CVE-2025-55182
react2shell
2025-12-15
etherrat
Published: December 15, 2025
Linked vulnerabilities : CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065, CVE-2025-55182 (CVSS 10.0), CVE-2025-66478
Downloadable IOCs: 50

Inside DPRK Operations: New Infrastructure Uncovered Across Global Campaigns

North Korean state-sponsored threat actors, including Lazarus and Kimsuky, continue to conduct widespread hacking operations for intelligence gathering, financial gain, and access. The investigation uncovered previously unconnected operational assets, revealing active tool-staging servers, credenti…
quasar rat
dprk
vps
blindingcan
2025-12-18
badcall
mailpassview
Published: December 18, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 20

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.