CVE-2025-55182CRITICAL 10.0CISA KEVEPSS p99.9%

CVE-2025-55182Meta React Server Components Remote Code Execution Vulnerability

Meta / React Server Components

Description

Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS99.56% probability of exploitation · percentile 99.9% · 2026-06-15T12:03:41Z
Published2025-12-03
Last modified2025-12-10

CISA KEV entry

Added to KEV: 2025-12-05

Underlying weaknesses· 1

CWE-502

References

  1. https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
  2. https://www.facebook.com/security/advisories/cve-2025-55182
  3. http://www.openwall.com/lists/oss-security/2025/12/03/4
  4. https://news.ycombinator.com/item?id=46136026
  5. https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
  6. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryMeta React Server Components Remote Code Execution Vulnerabilitykev-cve-2025-551820%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-55346
CVE
React Native Community CLI OS Command Injection Vulnerability
CVE
CVE-2025-67489
CVE
CVE-2026-45495
CVE
CVE-2026-33245
CVE
CVE-2026-21884
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.