CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-55182

CVSS 10.0v3.1pub. 2025-12-03upd. 2025-12-10

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

🤖 AI Analysis
How it works

Vulnerable code in react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages unsafely deserializes (unsafe deserialization, CWE-502) data transmitted in HTTP requests directed to Server Function endpoints. An unauthenticated attacker can craft a malicious payload in an HTTP request that, after deserialization on the server side, will lead to arbitrary code execution. The vulnerability requires no user interaction or special privileges, and its scope includes breaking isolation boundaries (Scope: Changed).

Impact

An attacker can gain full control over the server — steal sensitive data, modify or destroy system resources, and cause service unavailability. Due to the lack of authentication requirement, the vulnerability poses a direct threat to every publicly accessible application based on React Server Components in vulnerable versions.

Mitigation & patch

Immediately update the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages to a version containing the security patch, in accordance with the official announcement published by React at https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components. Until the patch is deployed, consider restricting access to Server Function endpoints at the firewall or reverse proxy level.

Who is affected

React Server Components in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Affects projects based on Vercel Next.js and Facebook React using these packages.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Facebook React

    APP
    Facebook
    19.0.019.1.019.1.119.2.0
  • Vercel Next.js

    APP
    Vercel
    14.3.015.6.016.0.015.3.0 – 15.3.6 (bez)15.4.0 – 15.4.8 (bez)15.5.0 – 15.5.7 (bez)16.0.0 – 16.0.7 (bez)15.2.0 – 15.2.6 (bez)15.1.0 – 15.1.9 (bez)15.0.0 – 15.0.5 (bez)

CISA KEV — detailsi

Vendori
Meta
Producti
React Server Components
Added to KEVi
December 5, 2025
Remediation deadline (US Federal)i
December 12, 2025(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 12 grudnia 2025
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2025-29927CRITICAL9.1PL ✓ten sam produkt

Pominięcie autoryzacji w middleware Next.js przez nagłówek x-middleware-subrequest

CVE-2026-44573HIGH7.5ten sam produkt

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2....

CVE-2026-44575HIGH7.5ten sam produkt

Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2....

CVE-2026-44574HIGH8.1ten sam produkt

Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2....

CVE-2026-44578HIGH8.6ten sam produkt

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2...