CVE-2025-55182
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
| Software | From | Fixed in |
|---|---|---|
| facebook / react | 19.0.0 | 19.0.0.x |
| facebook / react | 19.1.0 | 19.1.0.x |
| facebook / react | 19.1.1 | 19.1.1.x |
| facebook / react | 19.2.0 | 19.2.0.x |
| vercel / next.js | 15.0.0 | 15.0.5 |
| vercel / next.js | 15.1.0 | 15.1.9 |
| vercel / next.js | 15.2.0 | 15.2.6 |
| vercel / next.js | 15.3.0 | 15.3.6 |
| vercel / next.js | 15.4.0 | 15.4.8 |
| vercel / next.js | 15.5.0 | 15.5.7 |
| vercel / next.js | 16.0.0 | 16.0.7 |
| vercel / next.js | 14.3.0-canary77 | 14.3.0-canary77.x |
| vercel / next.js | 14.3.0-canary78 | 14.3.0-canary78.x |
| vercel / next.js | 14.3.0-canary79 | 14.3.0-canary79.x |
| vercel / next.js | 14.3.0-canary80 | 14.3.0-canary80.x |
| vercel / next.js | 14.3.0-canary81 | 14.3.0-canary81.x |
| vercel / next.js | 14.3.0-canary82 | 14.3.0-canary82.x |
| vercel / next.js | 14.3.0-canary83 | 14.3.0-canary83.x |
| vercel / next.js | 14.3.0-canary84 | 14.3.0-canary84.x |
| vercel / next.js | 14.3.0-canary85 | 14.3.0-canary85.x |
| vercel / next.js | 14.3.0-canary86 | 14.3.0-canary86.x |
| vercel / next.js | 14.3.0-canary87 | 14.3.0-canary87.x |
| vercel / next.js | 15.6.0 | 15.6.0.x |
| vercel / next.js | 15.6.0-canary0 | 15.6.0-canary0.x |
| vercel / next.js | 15.6.0-canary1 | 15.6.0-canary1.x |
| vercel / next.js | 15.6.0-canary10 | 15.6.0-canary10.x |
| vercel / next.js | 15.6.0-canary11 | 15.6.0-canary11.x |
| vercel / next.js | 15.6.0-canary12 | 15.6.0-canary12.x |
| vercel / next.js | 15.6.0-canary13 | 15.6.0-canary13.x |
| vercel / next.js | 15.6.0-canary14 | 15.6.0-canary14.x |
| vercel / next.js | 15.6.0-canary15 | 15.6.0-canary15.x |
| vercel / next.js | 15.6.0-canary16 | 15.6.0-canary16.x |
| vercel / next.js | 15.6.0-canary17 | 15.6.0-canary17.x |
| vercel / next.js | 15.6.0-canary18 | 15.6.0-canary18.x |
| vercel / next.js | 15.6.0-canary19 | 15.6.0-canary19.x |
| vercel / next.js | 15.6.0-canary2 | 15.6.0-canary2.x |
| vercel / next.js | 15.6.0-canary20 | 15.6.0-canary20.x |
| vercel / next.js | 15.6.0-canary21 | 15.6.0-canary21.x |
| vercel / next.js | 15.6.0-canary22 | 15.6.0-canary22.x |
| vercel / next.js | 15.6.0-canary23 | 15.6.0-canary23.x |
| vercel / next.js | 15.6.0-canary24 | 15.6.0-canary24.x |
| vercel / next.js | 15.6.0-canary25 | 15.6.0-canary25.x |
| vercel / next.js | 15.6.0-canary26 | 15.6.0-canary26.x |
| vercel / next.js | 15.6.0-canary27 | 15.6.0-canary27.x |
| vercel / next.js | 15.6.0-canary28 | 15.6.0-canary28.x |
| vercel / next.js | 15.6.0-canary29 | 15.6.0-canary29.x |
| vercel / next.js | 15.6.0-canary3 | 15.6.0-canary3.x |
| vercel / next.js | 15.6.0-canary30 | 15.6.0-canary30.x |
| vercel / next.js | 15.6.0-canary31 | 15.6.0-canary31.x |
| vercel / next.js | 15.6.0-canary32 | 15.6.0-canary32.x |
| vercel / next.js | 15.6.0-canary33 | 15.6.0-canary33.x |
| vercel / next.js | 15.6.0-canary34 | 15.6.0-canary34.x |
| vercel / next.js | 15.6.0-canary35 | 15.6.0-canary35.x |
| vercel / next.js | 15.6.0-canary36 | 15.6.0-canary36.x |
| vercel / next.js | 15.6.0-canary37 | 15.6.0-canary37.x |
| vercel / next.js | 15.6.0-canary38 | 15.6.0-canary38.x |
| vercel / next.js | 15.6.0-canary39 | 15.6.0-canary39.x |
| vercel / next.js | 15.6.0-canary4 | 15.6.0-canary4.x |
| vercel / next.js | 15.6.0-canary40 | 15.6.0-canary40.x |
| vercel / next.js | 15.6.0-canary41 | 15.6.0-canary41.x |
| vercel / next.js | 15.6.0-canary42 | 15.6.0-canary42.x |
| vercel / next.js | 15.6.0-canary43 | 15.6.0-canary43.x |
| vercel / next.js | 15.6.0-canary44 | 15.6.0-canary44.x |
| vercel / next.js | 15.6.0-canary45 | 15.6.0-canary45.x |
| vercel / next.js | 15.6.0-canary46 | 15.6.0-canary46.x |
| vercel / next.js | 15.6.0-canary47 | 15.6.0-canary47.x |
| vercel / next.js | 15.6.0-canary48 | 15.6.0-canary48.x |
| vercel / next.js | 15.6.0-canary49 | 15.6.0-canary49.x |
| vercel / next.js | 15.6.0-canary5 | 15.6.0-canary5.x |
| vercel / next.js | 15.6.0-canary50 | 15.6.0-canary50.x |
| vercel / next.js | 15.6.0-canary51 | 15.6.0-canary51.x |
| vercel / next.js | 15.6.0-canary52 | 15.6.0-canary52.x |
| vercel / next.js | 15.6.0-canary53 | 15.6.0-canary53.x |
| vercel / next.js | 15.6.0-canary54 | 15.6.0-canary54.x |
| vercel / next.js | 15.6.0-canary55 | 15.6.0-canary55.x |
| vercel / next.js | 15.6.0-canary56 | 15.6.0-canary56.x |
| vercel / next.js | 15.6.0-canary57 | 15.6.0-canary57.x |
| vercel / next.js | 15.6.0-canary6 | 15.6.0-canary6.x |
| vercel / next.js | 15.6.0-canary7 | 15.6.0-canary7.x |
| vercel / next.js | 15.6.0-canary8 | 15.6.0-canary8.x |
| vercel / next.js | 15.6.0-canary9 | 15.6.0-canary9.x |
| vercel / next.js | 16.0.0 | 16.0.0.x |
- http://www.openwall.com/lists/oss-security/2025/12/03/4
- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
- https://news.ycombinator.com/item?id=46136026
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182
- https://www.facebook.com/security/advisories/cve-2025-55182
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime