{"dataType": "CVE_RECORD", "containers": {"adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Critical\"}"}}}], "affected": [{"vendor": "redhat", "product": "firefox", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "thunderbird", "platforms": ["cpe:/o:redhat:enterprise_linux:10"], "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-55182"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418613"}, {"url": "https://nextjs.org/blog/CVE-2025-66478"}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"}, {"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-55182"}, {"url": "https://www.facebook.com/security/advisories/cve-2025-55182"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the React Server Components (RSC) protocol in which an attacker could send a malicious package to a Server Function endpoint and cause unauthenticated remote code execution. This is possible due to the way the affected packages deserialized untrusted data."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-12-03T15:40:56Z", "x_subShortName": "redhat_10"}}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Critical\"}"}}}], "affected": [{"vendor": "redhat", "product": "firefox", "platforms": ["cpe:/o:redhat:enterprise_linux:7"], "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-55182"}], "descriptions": [{"lang": "en", "value": "Red Hat's versions of the associated software have been determined to NOT be affected by CVE-2025-55182."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-12-03T15:40:00Z", "x_subShortName": "redhat_7"}}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Critical\"}"}}}], "affected": [{"vendor": "redhat", "product": "firefox", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "thunderbird", "platforms": ["cpe:/o:redhat:enterprise_linux:8"], "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-55182"}], "descriptions": [{"lang": "en", "value": "Red Hat's versions of the associated software have been determined to NOT be affected by CVE-2025-55182."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-12-03T15:40:00Z", "x_subShortName": "redhat_8"}}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"Critical\"}"}}}], "affected": [{"vendor": "redhat", "product": "aspnetcore-runtime-7.0", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "aspnetcore-targeting-pack-7.0", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "dotnet-apphost-pack-7.0", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "dotnet-host", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "dotnet-hostfxr-7.0", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "dotnet-runtime-7.0", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "dotnet-sdk-7.0", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "dotnet-sdk-7.0-source-built-artifacts", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "dotnet-targeting-pack-7.0", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "dotnet-templates-7.0", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "dotnet7.0", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "firefox", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "firefox-x11", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "netstandard-targeting-pack-2.1", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}, {"vendor": "redhat", "product": "thunderbird", "platforms": ["cpe:/o:redhat:enterprise_linux:9"], "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-55182"}], "descriptions": [{"lang": "en", "value": "Red Hat's versions of the associated software have been determined to NOT be affected by CVE-2025-55182."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-12-03T15:40:00Z", "x_subShortName": "redhat_9"}}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "Unknown", "content": {"data": "{\"description\":\"CRITICAL\"}"}}}], "affected": [{"vendor": "npm", "product": "react-server-dom-parcel", "versions": [{"status": "affected", "version": "19.0.0", "lessThan": "19.0.1", "versionType": "semver"}, {"status": "affected", "version": "19.1.0", "lessThan": "19.1.2", "versionType": "semver"}, {"status": "affected", "version": "19.2.0", "lessThan": "19.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "npm", "product": "react-server-dom-turbopack", "versions": [{"status": "affected", "version": "19.0.0", "lessThan": "19.0.1", "versionType": "semver"}, {"status": "affected", "version": "19.1.0", "lessThan": "19.1.2", "versionType": "semver"}, {"status": "affected", "version": "19.2.0", "lessThan": "19.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "npm", "product": "react-server-dom-webpack", "versions": [{"status": "affected", "version": "19.0.0", "lessThan": "19.0.1", "versionType": "semver"}, {"status": "affected", "version": "19.1.0", "lessThan": "19.1.2", "versionType": "semver"}, {"status": "affected", "version": "19.2.0", "lessThan": "19.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"}, {"url": "https://github.com/ejpir/CVE-2025-55182-poc"}, {"url": "https://github.com/facebook/react"}, {"url": "https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700"}, {"url": "https://github.com/facebook/react/pull/35277"}, {"url": "https://github.com/facebook/react/releases/tag/v19.0.1"}, {"url": "https://github.com/facebook/react/releases/tag/v19.1.2"}, {"url": "https://github.com/facebook/react/releases/tag/v19.2.1"}, {"url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r"}, {"url": "https://news.ycombinator.com/item?id=46136026"}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"}, {"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"}, {"url": "https://www.facebook.com/security/advisories/cve-2025-55182"}], "descriptions": [{"lang": "en", "value": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions."}, {"lang": "en", "value": "React Server Components are Vulnerable to RCE"}], "providerMetadata": {"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558", "shortName": "npm", "dateUpdated": "2025-12-03T19:07:39Z", "x_subShortName": "npm"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*"], "vendor": "facebook", "product": "react", "versions": [{"status": "affected", "version": "19.0.0"}, {"status": "affected", "version": "19.1.0"}, {"status": "affected", "version": "19.1.1"}, {"status": "affected", "version": "19.2.0"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:*", "cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:*"], "vendor": "vercel", "product": "next.js", "versions": [{"status": "affected", "version": "15.0.0", "lessThan": "15.0.5", "versionType": "custom"}, {"status": "affected", "version": "15.1.0", "lessThan": "15.1.9", "versionType": "custom"}, {"status": "affected", "version": "15.2.0", "lessThan": "15.2.6", "versionType": "custom"}, {"status": "affected", "version": "15.3.0", "lessThan": "15.3.6", "versionType": "custom"}, {"status": "affected", "version": "15.4.0", "lessThan": "15.4.8", "versionType": "custom"}, {"status": "affected", "version": "15.5.0", "lessThan": "15.5.7", "versionType": "custom"}, {"status": "affected", "version": "16.0.0", "lessThan": "16.0.7", "versionType": "custom"}, {"status": "affected", "version": "14.3.0"}, {"status": "affected", "version": "15.6.0"}, {"status": "affected", "version": "16.0.0"}], "platforms": ["node.js"], "defaultStatus": "unaffected"}], "references": [{"url": "https://news.ycombinator.com/item?id=46136026", "tags": ["issue-tracking"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4", "tags": ["mailing-list", "patch", "third-party-advisory"]}, {"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components", "tags": ["patch", "vendor-advisory"]}, {"url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/", "tags": ["third-party-advisory"]}, {"url": "https://www.facebook.com/security/advisories/cve-2025-55182", "tags": ["vendor-advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182", "tags": ["x_us-government-resource"]}], "descriptions": [{"lang": "en", "value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502"}]}], "providerMetadata": {"orgId": "00000000-0000-4000-A000-000000000003", "shortName": "nvd", "dateUpdated": "2025-12-03T16:15:56Z", "x_subShortName": "nvd"}}}, "cveMetadata": {"cveId": "CVE-2025-55182", "state": "PUBLISHED", "dateUpdated": "2025-12-05T17:44:58Z", "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "datePublished": "2025-12-03T16:15:56Z", "assignerShortName": "facebook"}, "dataVersion": "5.0"}