CVE-2025-55182

next: From CVEorg collector

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

INFO

Published Date :

2025-12-03T15:40:56.894Z

Last Modified :

2026-02-26T16:57:36.794Z

Source :

AFFECTED PRODUCTS

The following products are affected by CVE-2025-55182 vulnerability.

Vendors	Products
Facebook	React React-server-dom-parcel React-server-dom-turbopack React-server-dom-webpack
Vercel	Next.js

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-55182.

URL	Resource
http://www.openwall.com/lists/oss-security/2025/12/03/4
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
https://news.ycombinator.com/item?id=46136026
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
https://www.cve.org/CVERecord?id=CVE-2025-55182
https://www.facebook.com/security/advisories/cve-2025-55182