CVE-2025-55182
RCE CISA KEV ActiveTitle: Vercel Next.Js
RCE
Proof Of Concept
PoC Available for CVE-2025-55182
CWE Category
CWE-502
Published Date
Dec 03, 2025
Modified Date
Dec 10, 2025
Exploit Status
Available
Score
10.0
CVSS v3.1
Exploit Probability (EPSS)
84.49%
Vulnerability Summary
CVE-2025-55182: A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Impacted Vendors
Reference Links
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://www.facebook.com/security/advisories/cve-2025-55182
http://www.openwall.com/lists/oss-security/2025/12/03/4
https://news.ycombinator.com/item?id=46136026
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
CVSS v3.1
Source Entity
[email protected]
Severity
CRITICAL
10.0
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
CHANGED
RAW VECTOR
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Associated Attack Patterns (CAPEC)
Total: PatternsNo specific attack patterns mapped.
Likelihood
Severity
Page /
CVE-2025-55182 Exploits & PoCs (Proof Of Concept)
MODIFIED
Vulnerability data or affected products updated.
MODIFIED
Vulnerability data updated via NVD.
PUBLISHED
Vulnerability first announced in NVD.
Attack Vector Matrix
Access Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
CVSS Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Stack
No specific products linked.