CVEFinder.io

CVE-2025-55182

⛔ critical
🔍 Scan for this CVE
Summary

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

CVSS Score
10.0
Critical
EPSS Score
57.9
Exploit Probability
Published Date
2025-12-03
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Extremely High Risk - more severe than 100.0% of all 321,845 vulnerabilities in our database.

#1
Top 5% most severe
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Dec 5, 2025
🔍 Exploitation Status
Active
Exploits detected in the wild
⚙ī¸ Automatable
YES
Can be exploited automatically
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2025-12-10
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-502

đŸ“Ļ Affected Products 14

Vendor Product Status Affected Versions
facebook react Affected
v19.0.0
facebook react Affected
v19.1.0
facebook react Affected
v19.1.1
facebook react Affected
v19.2.0
vercel next.js Affected
≥ 15.0.0 < 15.0.5
vercel next.js Affected
≥ 15.1.0 < 15.1.9
vercel next.js Affected
≥ 15.2.0 < 15.2.6
vercel next.js Affected
≥ 15.3.0 < 15.3.6
vercel next.js Affected
≥ 15.4.0 < 15.4.8
vercel next.js Affected
≥ 15.5.0 < 15.5.7
vercel next.js Affected
≥ 16.0.0 < 16.0.7
vercel next.js Affected
v14.3.0
vercel next.js Affected
v15.6.0
vercel next.js Affected
v16.0.0

🔗 References 6

https://react.dev/blog/2025/12/03/critical-security-...
Patch Vendor Advisory
https://www.facebook.com/security/advisories/cve-202...
Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/03/4
Mailing List Patch Third Party Advisory
https://news.ycombinator.com/item?id=46136026
Issue Tracking
https://aws.amazon.com/blogs/security/china-nexus-cy...
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities...
US Government Resource

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44572 ℹī¸ low 3.7 0.0 Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an exte... 2026-05-13
CVE-2026-44573 ⚠ī¸ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applica... 2026-05-13
CVE-2026-44574 ⚠ī¸ high 8.1 0.0 Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applica... 2026-05-13
CVE-2026-44575 ⚠ī¸ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Rou... 2026-05-13
CVE-2026-44576 đŸ”ļ medium 5.4 0.0 Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applica... 2026-05-13
CVE-2026-44578 ⚠ī¸ high 8.6 4.0 Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-h... 2026-05-13
These CVEs affect the same products