Remote Code Execution Vulnerability in React Server Components by Meta
CVE-2025-55182
Key Information:
- Vendor
Meta
- Vendor
- CVE Published:
- 3 December 2025
Badges
What is CVE-2025-55182?
CVE-2025-55182 refers to a serious remote code execution vulnerability found in the React Server Components developed by Meta. This vulnerability affects specific versions of React Server Components (19.0.0, 19.1.0, 19.1.1, and 19.2.0) along with associated packages such as react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The core issue lies in the insecure handling of payloads during the deserialization process from HTTP requests directed at Server Function endpoints. This flaw poses a significant risk, as it allows an attacker to potentially execute malicious code on the server without needing prior authentication, which could severely compromise the security and integrity of applications utilizing these components.
Potential Impact of CVE-2025-55182
-
Unauthorized Remote Code Execution: The vulnerability enables attackers to execute arbitrary code on the server hosting the affected components. This can lead to unauthorized access to sensitive data, manipulation of application logic, and control over the server environment.
-
Compromise of Application Integrity: Successful exploitation may allow adversaries to alter the application's behavior, insert malicious code, or create backdoors for future access. This not only jeopardizes the application's integrity but can also degrade user trust and damage the organization's reputation.
-
Wider System Vulnerabilities: Once an attacker gains a foothold through this vulnerability, they can potentially pivot to other systems within the organization's network, leading to a broader compromise. This could facilitate further malicious activities, including data breaches or launching additional attacks on other infrastructure components.
CISA has reported CVE-2025-55182
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-55182 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
react-server-dom-parcel 19.0.0
react-server-dom-parcel 19.1.0 <= 19.1.1
react-server-dom-parcel 19.2.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Hackers exploit React2Shell in automated credential theft campaign
Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps.
5 days ago
The Hacker NewsCVE-2025-55182Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
766 hosts breached via CVE-2025-55182 in Next.js apps, enabling mass credential theft and targeted follow-on attacks.
1 week ago
Security AffairsCVE-2025-55182RondoDox botnet expands arsenal targeting 174 flaws, and hits 15,000 daily exploit attempts
RondoDox botnet targets 174 flaws, reaching 15,000 daily exploit attempts in a more focused and strategic campaign.
3 weeks ago
References
EPSS Score
66% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 🦅
CISA Reported
- 🟡
Public PoC available
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 📰
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved