CVE-2025-55182

⛔ critical

Summary

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

CVSS Score

10.0

Critical

EPSS Score

57.9

Exploit Probability

Published Date

2025-12-03

First Seen: 2026-01-05

📊 Relative Risk Intelligence

This CVE is Extremely High Risk - more severe than 100.0% of all 317,883 vulnerabilities in our database.

Top 5% most severe

Severity Percentile

🎯 CISA SSVC Assessment Updated: Dec 5, 2025

🔍 Exploitation Status

Active

Exploits detected in the wild

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Total

Complete system compromise possible

SSVC data provided by CISA

Last Modified 2025-12-10

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE IDs (Weakness Types)

CWE-502

📦 Affected Products 14

Vendor	Product	Status	Affected Versions
facebook	react	Affected	v19.0.0
facebook	react	Affected	v19.1.0
facebook	react	Affected	v19.1.1
facebook	react	Affected	v19.2.0
vercel	next.js	Affected	≥ 15.0.0 < 15.0.5
vercel	next.js	Affected	≥ 15.1.0 < 15.1.9
vercel	next.js	Affected	≥ 15.2.0 < 15.2.6
vercel	next.js	Affected	≥ 15.3.0 < 15.3.6
vercel	next.js	Affected	≥ 15.4.0 < 15.4.8
vercel	next.js	Affected	≥ 15.5.0 < 15.5.7
vercel	next.js	Affected	≥ 16.0.0 < 16.0.7
vercel	next.js	Affected	v14.3.0
vercel	next.js	Affected	v15.6.0
vercel	next.js	Affected	v16.0.0

🔗 References 6

https://react.dev/blog/2025/12/03/critical-security-...

Patch Vendor Advisory

https://www.facebook.com/security/advisories/cve-202...

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/12/03/4

Mailing List Patch Third Party Advisory

https://news.ycombinator.com/item?id=46136026

Issue Tracking

https://aws.amazon.com/blogs/security/china-nexus-cy...

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities...

US Government Resource

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-27977	🔶 medium	5.4	0.0	Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1...	2026-03-18
CVE-2026-27978	🔶 medium	4.3	0.0	Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1...	2026-03-18
CVE-2026-27979	⚠️ high	7.5	0.0	Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1...	2026-03-18
CVE-2026-27980	⚠️ high	7.5	0.0	Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 1...	2026-03-18
CVE-2026-29057	🔶 medium	6.5	0.1	Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 1...	2026-03-18
CVE-2026-23864	⚠️ high	7.5	0.9	Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-ser...	2026-01-26

These CVEs affect the same products