CVE-2025-55182
BaseFortify
Publication date: 2025-12-03
Last updated on: 2025-12-10
Assigner: Facebook, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| react | 19.0.0 | |
| react | 19.1.0 | |
| react | 19.1.1 | |
| react | 19.2.0 | |
| vercel | next.js | From 15.0.0 (inc) to 15.0.5 (exc) |
| vercel | next.js | From 15.1.0 (inc) to 15.1.9 (exc) |
| vercel | next.js | From 15.2.0 (inc) to 15.2.6 (exc) |
| vercel | next.js | From 15.3.0 (inc) to 15.3.6 (exc) |
| vercel | next.js | From 15.4.0 (inc) to 15.4.8 (exc) |
| vercel | next.js | From 15.5.0 (inc) to 15.5.7 (exc) |
| vercel | next.js | From 16.0.0 (inc) to 16.0.7 (exc) |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 14.3.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 15.6.0 |
| vercel | next.js | 16.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a pre-authentication remote code execution issue in certain versions of React Server Components. It occurs because the vulnerable code unsafely deserializes payloads received from HTTP requests to Server Function endpoints, allowing an attacker to execute arbitrary code remotely without needing to authenticate.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full system compromise. Since it allows remote code execution without authentication, an attacker could take control of the affected server, leading to data theft, service disruption, or further attacks within the network.