HOMEVULNERABILITIESCVE-2025-55182
HIGHCISA KEVIN THE WILD

CVE-2025-55182

Published: December 5, 2025

EPSS:59.56%probability of exploitation in 30 daysPercentile:98.2th

Official Description

Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.

NVD Source

CISA KEV Advisory

Meta React Server Components Remote Code Execution Vulnerability

Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.

Added to KEV: 2025-12-05Federal patch deadline: 2025-12-12⚠ USED IN RANSOMWARE CAMPAIGNS
Required Action (CISA)

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Risk Analysis

Meta React Server Components are vulnerable to remote code execution due to a flaw in how React decodes payloads to React Server Function endpoints. The high EPSS score of 0.59560 and confirmed exploitation indicate this is a severe threat to applications using these components.

This vulnerability is actively exploited in the wild and is listed in CISA's KEV catalog. It allows for unauthenticated remote code execution.

Recommended Action

Apply the latest security updates or patches for Meta React Server Components. Implement robust input validation and secure coding practices to prevent deserialization vulnerabilities.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2025-55182 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2025-55182

Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware
The DFIR Report· May 11, 2026

The EtherRAT malware family was first reported by Sysdig back in December 2025. At that time, the initial access vector was exploitation of CVE-2025-55182 (React2Shell) targeting Linux servers. In March 2026, a Windows variant campaign was reported by Atos, with their investigation showing evidence of activity going back to the previous December. In April, we […] The post Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware appeared first on The DFIR Report. [xlite_meta score:44 src:The DFIR Report xlite_fp:201a1fd2b6fecceac9f51fb42f8c2abc39a22825ff18db05466da8c234fbcab3]

Hackers exploit React2Shell in automated credential theft campaign
BleepingComputer· Apr 5, 2026

Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. [...] [xlite_meta score:61 src:BleepingComputer xlite_fp:45230a22f77fd2e8f62ca45d45463d629d4e8f82e08ba60707944643ed05b035]

Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
The Hacker News· Apr 2, 2026

A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as [xlite_meta score:53 src:The Hacker News xlite_fp:ba56590a7ca7aee6cc4bc056cfbbf55e282914e1934c011e684facc57a338cf9]

December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
Recorded Future Blog· Jan 12, 2026

December 2025 saw a 120% surge in critical CVEs, with 22 exploited flaws and React2Shell (CVE-2025-55182) dominating threat activity across Meta’s React framework. [xlite_meta score:38 src:Recorded Future Blog xlite_fp:063569aee50e8bb687b5cc7eb752cecc0c81ae4d93f16a60296ff580a6a5521d]

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)
Mandiant Blog· Dec 12, 2025

Written by: Aragorn Tseng, Robert Weiner, Casey Charrier, Zander Work, Genevieve Stark, Austin Larsen Introduction On Dec. 3, 2025, a critical unauthenticated remote code execution (RCE) vulnerability in React Server Components, tracked as CVE-2025-55182 (aka "React2Shell"), was publicly disclosed. Shortly after disclosure, Google Threat Intelligence Group (GTIG) had begun observing widespread exploitation across many threat clusters, ranging from opportunistic cyber crime actors to suspected espionage groups. GTIG has identified distinct campaigns leveraging this vulnerability to deploy a MINOCAT tunneler, SNOWLIGHT downloader, HISONIC backdoor, and COMPOOD backdoor, as well as XMRIG cryptocurrency miners, some of which overlaps with activity previously reported by Huntress. These observed campaigns highlight the risk posed to organizations using unpatched versions of React and Next.js. This post details the observed exploitation chains and post-compromise behaviors and provides intel

PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
Huntress Blog· Dec 9, 2025

Huntress is seeing threat actors exploit React2Shell (CVE-2025-55182) to deploy a Linux backdoor, a reverse proxy tunnel, and a Go-based post-exploitation implant. [xlite_meta score:43 src:Huntress Blog xlite_fp:8956c247518f90f9aa323422cfd59b5e0d6618ae37857c6bb34c77883f0e48a8]

All References (2)

Quick Facts

CVE IDCVE-2025-55182
SeverityHIGH
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)59.56%
PublishedDec 5, 2025

Known Threat Actors

Oni
financial
wa
financial
vect
financial
B0
financial
bert
financial
pear
financial

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2025-55182 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.