CVE-2025-55182
Published: 03 December 2025
Summary
CVE-2025-55182 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Vercel Next.Js. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the unsafe deserialization flaw in React Server Components as outlined in vendor advisories, directly eliminating the RCE vulnerability.
Enforces validation and sanitization of untrusted HTTP payloads before deserialization, preventing exploitation of CWE-502 in Server Function endpoints.
Boundary protection devices inspect and filter malicious HTTP requests targeting exposed Server Function endpoints, mitigating pre-auth RCE attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote code execution via crafted HTTP requests to exposed public-facing Server Function endpoints in React Server Components, directly mapping to exploitation of public-facing applications.
NVD Description
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Deeper analysisAI
CVE-2025-55182 is a pre-authentication remote code execution vulnerability affecting React Server Components in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw arises from vulnerable code that unsafely deserializes payloads from HTTP requests sent to Server Function endpoints. Published on 2025-12-03, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-502 (Deserialization of Untrusted Data).
Unauthenticated remote attackers can exploit this vulnerability by crafting and sending malicious HTTP requests to exposed Server Function endpoints, triggering deserialization and achieving arbitrary remote code execution on the affected server. The attack requires no privileges, user interaction, or special access, with low complexity and network accessibility enabling broad exploitation potential, including full confidentiality, integrity, and availability impacts due to the changed scope.
Advisories from React at https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components and Facebook at https://www.facebook.com/security/advisories/cve-2025-55182 outline mitigations and patches. Further technical discussion appears on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2025/12/03/4 and Hacker News at https://news.ycombinator.com/item?id=46136026.
An AWS security blog notes rapid real-world exploitation by China-nexus cyber threat groups, dubbing the issue "react2shell" (https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/).
Details
- CWE(s)
- KEV Date Added
- 05 December 2025