CVE-2025-55182

Exp

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Published: 2025-12-03 Last update: 2025-12-10 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-55182 is rated Critical Active Threat (98.4/100): CVSS Critical severity, with high exploitation likelihood (EPSS 83.20%, 99th percentile). CISA KEV confirms active exploitation (added 2025-12-05) affecting Meta / React Server Components. a weakness (CWE-502) Unauthenticated remote administrative access may be possible. The CISA remediation deadline has passed—treat as an emergency patch priority.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

CISA KEV Record for CVE-2025-55182

Name: Meta React Server Components Remote Code Execution Vulnerability · CISA KEV detail

Exploit added: 2025-12-05

Action due: 2025-12-12

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public exploit references (Exploit-DB) for CVE-2025-55182

EDB-ID Source Kind Published Link
52506 exploit_db edb 2026-04-09 Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2025-55182

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-07 84.54% 83.20% -1.34%
2 2026-06-04 82.01% 84.54% +2.53%
3 2026-05-29 82.01%

Full EPSS history (54 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-55182

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
10.0 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 6.0 [email protected]

Weakness enumeration for CVE-2025-55182

GitHub Security Advisory for CVE-2025-55182

GHSA-fv66-9v8q-g76r · Severity: critical · Ecosystem: npm — React Server Components are Vulnerable to RCE

OS Trackers for CVE-2025-55182

vendor priority summary link
redhat critical https://access.redhat.com/security/cve/CVE-2025-55182

Affected software / configurations for CVE-2025-55182

Vendor Product Version Raw CPE
facebook react 19.0.0 cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*
facebook react 19.1.0 cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*
facebook react 19.1.1 cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*
facebook react 19.2.0 cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*
vercel next.js >= 15.0.0, < 15.0.5 cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel next.js >= 15.1.0, < 15.1.9 cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel next.js >= 15.2.0, < 15.2.6 cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel next.js >= 15.3.0, < 15.3.6 cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel next.js >= 15.4.0, < 15.4.8 cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel next.js >= 15.5.0, < 15.5.7 cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel next.js >= 16.0.0, < 16.0.7 cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*
vercel next.js 14.3.0 cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*
vercel next.js 15.6.0 cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*

References for CVE-2025-55182

cvelogic Threat Intelligence