Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-55182

Published 2025-12-03
Updated 5 months ago
Vendor/s
Meta
Product/s
React Server Components
Version/s
19.0.0
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
10
/ 10
Critical
Severity Details
Base score
10 Critical
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2025-55182 is a critical (CVSS 10.0) RCE vulnerability in React Server Components and Next.js, currently under active exploitation.

CPE

Meta logo
Meta
Product Version Start Version End (excl.) Status
react 19.0.0 19.0.0 vulnerable
react 19.1.0 19.1.0 vulnerable
react 19.1.1 19.1.1 vulnerable
react 19.2.0 19.2.0 vulnerable
next.js 15.0.0 15.0.5 vulnerable
next.js 15.1.0 15.1.9 vulnerable
next.js 15.2.0 15.2.6 vulnerable
next.js 15.3.0 15.3.6 vulnerable
next.js 15.4.0 15.4.8 vulnerable
next.js 15.5.0 15.5.7 vulnerable
next.js 16.0.0 16.0.7 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 14.3.0 14.3.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 15.6.0 15.6.0 vulnerable
next.js 16.0.0 16.0.0 vulnerable

Related weakness (CWE)

CWE-502

Remediation plan

1

Apply official patches

Immediately apply the security updates released by Meta and the Vercel team. For React, move to a patched version beyond 19.2.0. For Next.js, ensure you are on a version that includes the fix for the react-server-dom-webpack and related packages.

2

Update affected systems

Upgrade React to version 19.2.1 or higher. For Next.js users, update to versions 15.0.5+, 15.1.9+, 15.2.6+, 15.3.6+, 15.4.8+, 15.5.7+, 15.6.1+, or 16.0.8+ to ensure the underlying React dependencies are secured.

3

Restrict access

While a patch is the only complete fix, consider placing vulnerable Server Function endpoints behind a Web Application Firewall (WAF) or an authenticated proxy. Implement strict input validation and limit exposure of internal server-side functions to the public internet.

4

Monitor for exploitation

Inspect server logs for unusual POST requests to Server Function endpoints, specifically looking for malformed serialized payloads. Monitor for unexpected outbound network connections or spawned shell processes originating from the web server process.

Detection Guidance

Look for HTTP POST requests targeting Server Function endpoints containing complex or obfuscated serialized data in the request body. Specifically, monitor for payloads containing unexpected JavaScript objects that trigger CWE-502. Security teams should use EDR tools to detect anomalous child processes spawned by the Node.js runtime. Network-level signatures should flag high-frequency requests to server-side actions that do not match known application traffic patterns.

References

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components Patch Vendor Advisory https://www.facebook.com/security/advisories/cve-2025-55182 Vendor Advisory http://www.openwall.com/lists/oss-security/2025/12/03/4 Mailing List Patch Third Party Advisory https://news.ycombinator.com/item?id=46136026 Issue Tracking https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/ Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial