Remote Code Execution Vulnerability in React Server Components by Meta
CVE-2025-55182
Key Information:
- Vendor
Meta
- Vendor
- CVE Published:
- 3 December 2025
Badges
What is CVE-2025-55182?
CVE-2025-55182 refers to a serious remote code execution vulnerability found in the React Server Components developed by Meta. This vulnerability affects specific versions of React Server Components (19.0.0, 19.1.0, 19.1.1, and 19.2.0) along with associated packages such as react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The core issue lies in the insecure handling of payloads during the deserialization process from HTTP requests directed at Server Function endpoints. This flaw poses a significant risk, as it allows an attacker to potentially execute malicious code on the server without needing prior authentication, which could severely compromise the security and integrity of applications utilizing these components.
Potential Impact of CVE-2025-55182
-
Unauthorized Remote Code Execution: The vulnerability enables attackers to execute arbitrary code on the server hosting the affected components. This can lead to unauthorized access to sensitive data, manipulation of application logic, and control over the server environment.
-
Compromise of Application Integrity: Successful exploitation may allow adversaries to alter the application's behavior, insert malicious code, or create backdoors for future access. This not only jeopardizes the application's integrity but can also degrade user trust and damage the organization's reputation.
-
Wider System Vulnerabilities: Once an attacker gains a foothold through this vulnerability, they can potentially pivot to other systems within the organization's network, leading to a broader compromise. This could facilitate further malicious activities, including data breaches or launching additional attacks on other infrastructure components.
Affected Version(s)
react-server-dom-parcel 19.0.0 <= 19.2.0
react-server-dom-turbopack 19.0.0 <= 19.2.0
react-server-dom-webpack 19.0.0 <= 19.2.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Critical React, Next.js flaw lets hackers execute code on servers
A maximum severity vulnerability, dubbed 'React2Shell', in the React Server Components (RSC) 'Flight' protocol allows remote code execution without authentication in React and Next.js applications.
9 hours ago
Google CloudCVE-2025-55182Responding to CVE-2025-55182 | Google Cloud Blog
Follow these recommendations to minimize remote code execution risks in React and Next.js from CVE-2025-55182 vulnerabilities.
1 day ago
React2Shell: In-the-Wild Exploitation Expected for Critical React Vulnerability
Critical React vulnerability tracked as CVE-2025-55182 and React2Shell can be exploited for unauthenticated remote code execution.
1 day ago
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 📰
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved