CVE-2025-55182 Overview
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
This insecure deserialization vulnerability allows unauthenticated attackers to execute arbitrary code on servers running affected React Server Components. The vulnerability is particularly dangerous because it requires no user interaction and can be exploited remotely over the network without any prior authentication.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. According to AWS security research, China-nexus cyber threat groups are rapidly exploiting this vulnerability (dubbed "React2Shell"). Immediate patching is required.
Affected Products
- Facebook React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
- Vercel Next.js versions 14.3.0 (canary77 through canary87)
- Vercel Next.js versions 15.6.0 (including canary releases 0-57) and 16.0.0
Discovery Timeline
- December 3, 2025 - CVE-2025-55182 published to NVD
- December 10, 2025 - Last updated in NVD database
Technical Details for CVE-2025-55182
Vulnerability Analysis
This vulnerability (CWE-502: Deserialization of Untrusted Data) affects React Server Components, a feature introduced in React 19 that enables server-side rendering with direct server function calls. The vulnerable packages (react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack) process incoming HTTP requests to Server Function endpoints without properly validating or sanitizing the serialized data before deserialization.
When a malicious payload is sent to an exposed Server Function endpoint, the deserialization process can instantiate arbitrary objects, leading to remote code execution on the server. Since this occurs before any authentication checks, attackers can exploit the vulnerability without valid credentials.
Root Cause
The root cause lies in the unsafe deserialization of HTTP request payloads within the React Server Components architecture. The server-side rendering packages fail to implement proper input validation and type checking before deserializing incoming data streams. This allows attackers to craft malicious serialized objects that, when processed by the vulnerable deserialization routine, execute arbitrary code with the privileges of the Node.js server process.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can send a specially crafted HTTP request containing a malicious serialized payload directly to any Server Function endpoint. The vulnerable deserialization code processes this payload, triggering arbitrary code execution.
Since React Server Components are designed to handle direct function calls from client-side React applications, the attack surface is any application exposing Server Functions over HTTP. This includes applications built with Next.js using the App Router with Server Actions enabled.
The exploitation has been observed in the wild, with multiple proof-of-concept exploits publicly available. The vulnerability is being actively exploited by advanced threat actors, as documented in the AWS Security Blog post on China-nexus cyber threats.
Detection Methods for CVE-2025-55182
Indicators of Compromise
- Unusual HTTP POST requests to Server Function endpoints with malformed or oversized payloads
- Unexpected child processes spawned by the Node.js server process
- Outbound network connections from the application server to unknown IP addresses
- Suspicious file system modifications or new files created in the application directory
- Log entries indicating deserialization errors followed by successful command execution
Detection Strategies
- Monitor HTTP request logs for anomalous POST requests targeting /_next/ or Server Action endpoints with unusual content types
- Implement runtime application self-protection (RASP) to detect deserialization attacks
- Deploy web application firewall (WAF) rules to identify serialized object injection patterns
- Use endpoint detection and response (EDR) solutions to monitor for suspicious process chains originating from Node.js
Monitoring Recommendations
- Enable verbose logging for React Server Components and Next.js applications
- Set up alerts for any process execution initiated by the Node.js runtime outside normal application behavior
- Monitor network traffic for command-and-control (C2) communication patterns from web servers
- Implement file integrity monitoring on application directories to detect unauthorized modifications
How to Mitigate CVE-2025-55182
Immediate Actions Required
- Identify all applications using React 19.0.0, 19.1.0, 19.1.1, or 19.2.0 with Server Components enabled
- Update to a patched version of React immediately as recommended in the React Blog security advisory
- If using Next.js, upgrade to a patched version per the vendor guidance
- Temporarily disable Server Functions/Server Actions if patching is not immediately possible
- Review server logs for indicators of compromise before and after patching
Patch Information
Security patches are available from both Facebook (React) and Vercel (Next.js). Organizations should consult the official security advisories for specific patched versions:
- React Blog Security Advisory
- Facebook Security Advisory CVE-2025-55182
- CISA Known Exploited Vulnerabilities Catalog
Workarounds
- Disable React Server Components and Server Actions until patches can be applied
- Implement network-level controls to restrict access to application servers from untrusted networks
- Deploy a web application firewall with rules to block suspicious serialized payloads
- Consider temporarily reverting to client-side rendering patterns that do not use Server Functions
# Temporary mitigation: Disable Server Actions in Next.js
# Add to next.config.js
echo "module.exports = { experimental: { serverActions: { enabled: false } } }" > next.config.js
# Verify React version in your project
npm list react
yarn list react
# Update React to patched version (consult vendor advisory for specific version)
npm update react react-dom react-server-dom-webpack
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
