Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55182

CVE-2025-55182: Facebook React RCE Vulnerability

CVE-2025-55182 is a pre-authentication remote code execution vulnerability in React Server Components that allows attackers to execute arbitrary code through unsafe deserialization. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-55182 Overview

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

This insecure deserialization vulnerability allows unauthenticated attackers to execute arbitrary code on servers running affected React Server Components. The vulnerability is particularly dangerous because it requires no user interaction and can be exploited remotely over the network without any prior authentication.

Critical Impact

This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. According to AWS security research, China-nexus cyber threat groups are rapidly exploiting this vulnerability (dubbed "React2Shell"). Immediate patching is required.

Affected Products

  • Facebook React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
  • Vercel Next.js versions 14.3.0 (canary77 through canary87)
  • Vercel Next.js versions 15.6.0 (including canary releases 0-57) and 16.0.0

Discovery Timeline

  • December 3, 2025 - CVE-2025-55182 published to NVD
  • December 10, 2025 - Last updated in NVD database

Technical Details for CVE-2025-55182

Vulnerability Analysis

This vulnerability (CWE-502: Deserialization of Untrusted Data) affects React Server Components, a feature introduced in React 19 that enables server-side rendering with direct server function calls. The vulnerable packages (react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack) process incoming HTTP requests to Server Function endpoints without properly validating or sanitizing the serialized data before deserialization.

When a malicious payload is sent to an exposed Server Function endpoint, the deserialization process can instantiate arbitrary objects, leading to remote code execution on the server. Since this occurs before any authentication checks, attackers can exploit the vulnerability without valid credentials.

Root Cause

The root cause lies in the unsafe deserialization of HTTP request payloads within the React Server Components architecture. The server-side rendering packages fail to implement proper input validation and type checking before deserializing incoming data streams. This allows attackers to craft malicious serialized objects that, when processed by the vulnerable deserialization routine, execute arbitrary code with the privileges of the Node.js server process.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can send a specially crafted HTTP request containing a malicious serialized payload directly to any Server Function endpoint. The vulnerable deserialization code processes this payload, triggering arbitrary code execution.

Since React Server Components are designed to handle direct function calls from client-side React applications, the attack surface is any application exposing Server Functions over HTTP. This includes applications built with Next.js using the App Router with Server Actions enabled.

The exploitation has been observed in the wild, with multiple proof-of-concept exploits publicly available. The vulnerability is being actively exploited by advanced threat actors, as documented in the AWS Security Blog post on China-nexus cyber threats.

Detection Methods for CVE-2025-55182

Indicators of Compromise

  • Unusual HTTP POST requests to Server Function endpoints with malformed or oversized payloads
  • Unexpected child processes spawned by the Node.js server process
  • Outbound network connections from the application server to unknown IP addresses
  • Suspicious file system modifications or new files created in the application directory
  • Log entries indicating deserialization errors followed by successful command execution

Detection Strategies

  • Monitor HTTP request logs for anomalous POST requests targeting /_next/ or Server Action endpoints with unusual content types
  • Implement runtime application self-protection (RASP) to detect deserialization attacks
  • Deploy web application firewall (WAF) rules to identify serialized object injection patterns
  • Use endpoint detection and response (EDR) solutions to monitor for suspicious process chains originating from Node.js

Monitoring Recommendations

  • Enable verbose logging for React Server Components and Next.js applications
  • Set up alerts for any process execution initiated by the Node.js runtime outside normal application behavior
  • Monitor network traffic for command-and-control (C2) communication patterns from web servers
  • Implement file integrity monitoring on application directories to detect unauthorized modifications

How to Mitigate CVE-2025-55182

Immediate Actions Required

  • Identify all applications using React 19.0.0, 19.1.0, 19.1.1, or 19.2.0 with Server Components enabled
  • Update to a patched version of React immediately as recommended in the React Blog security advisory
  • If using Next.js, upgrade to a patched version per the vendor guidance
  • Temporarily disable Server Functions/Server Actions if patching is not immediately possible
  • Review server logs for indicators of compromise before and after patching

Patch Information

Security patches are available from both Facebook (React) and Vercel (Next.js). Organizations should consult the official security advisories for specific patched versions:

Workarounds

  • Disable React Server Components and Server Actions until patches can be applied
  • Implement network-level controls to restrict access to application servers from untrusted networks
  • Deploy a web application firewall with rules to block suspicious serialized payloads
  • Consider temporarily reverting to client-side rendering patterns that do not use Server Functions
bash
# Temporary mitigation: Disable Server Actions in Next.js
# Add to next.config.js
echo "module.exports = { experimental: { serverActions: { enabled: false } } }" > next.config.js

# Verify React version in your project
npm list react
yarn list react

# Update React to patched version (consult vendor advisory for specific version)
npm update react react-dom react-server-dom-webpack

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne