Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-55182 (GCVE-0-2025-55182)
Vulnerability from cvelistv5 – Published: 2025-12-03 15:40 – Updated: 2025-12-11 20:15
VLAI?
EPSS
Summary
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Severity ?
10 (Critical)
CWE
- Deserialization of Untrusted Data (CWE-502)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-webpack |
Affected:
19.0.0 , ≤ 19.0.0
(semver)
Affected: 19.1.0 , ≤ 19.1.1 (semver) Affected: 19.2.0 , ≤ 19.2.0 (semver) |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55182",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-12-05",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T04:55:42.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"media-coverage"
],
"url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-05T00:00:00+00:00",
"value": "CVE-2025-55182 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-12-04T17:32:12.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
},
{
"url": "https://news.ycombinator.com/item?id=46136026"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.1",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.1",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.0.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.1.1",
"status": "affected",
"version": "19.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.2.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Deserialization of Untrusted Data (CWE-502)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:15:37.699Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55182",
"datePublished": "2025-12-03T15:40:56.894Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-12-11T20:15:37.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2025-55182",
"dateAdded": "2025-12-05",
"dueDate": "2025-12-12",
"knownRansomwareCampaignUse": "Known",
"notes": "Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, please see: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components ; https://github.com/vercel-labs/fix-react2shell-next?tab=readme-ov-file ; https://nvd.nist.gov/vuln/detail/CVE-2025-55182",
"product": "React Server Components",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. Please note CVE-2025-66478 has been rejected, but it is associated with CVE-2025- 55182.",
"vendorProject": "Meta",
"vulnerabilityName": "Meta React Server Components Remote Code Execution Vulnerability"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/12/03/4\"}, {\"url\": \"https://news.ycombinator.com/item?id=46136026\"}], \"x_generator\": {\"engine\": \"ADPogram 0.0.1\"}, \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-12-04T17:32:12.884Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-55182\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-05T14:59:52.187003Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-12-05\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182\"}}}], \"references\": [{\"url\": \"https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/\", \"tags\": [\"media-coverage\"]}, {\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-03T16:30:54.157Z\"}, \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-12-05T00:00:00+00:00\", \"value\": \"CVE-2025-55182 added to CISA KEV\"}]}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 10, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Meta\", \"product\": \"react-server-dom-webpack\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.0.0\"}, {\"status\": \"affected\", \"version\": \"19.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.1.1\"}, {\"status\": \"affected\", \"version\": \"19.2.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.2.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Meta\", \"product\": \"react-server-dom-turbopack\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.0.0\"}, {\"status\": \"affected\", \"version\": \"19.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.1.1\"}, {\"status\": \"affected\", \"version\": \"19.2.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.2.0\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Meta\", \"product\": \"react-server-dom-parcel\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.0.0\"}, {\"status\": \"affected\", \"version\": \"19.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.1.1\"}, {\"status\": \"affected\", \"version\": \"19.2.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"19.2.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.facebook.com/security/advisories/cve-2025-55182\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"dateAssigned\": \"2025-12-02T00:00:00.000Z\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"Deserialization of Untrusted Data (CWE-502)\"}]}], \"providerMetadata\": {\"orgId\": \"4fc57720-52fe-4431-a0fb-3d2c8747b827\", \"shortName\": \"Meta\", \"dateUpdated\": \"2025-12-11T20:15:37.699Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-55182\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-11T20:15:37.699Z\", \"dateReserved\": \"2025-08-08T18:21:47.119Z\", \"assignerOrgId\": \"4fc57720-52fe-4431-a0fb-3d2c8747b827\", \"datePublished\": \"2025-12-03T15:40:56.894Z\", \"assignerShortName\": \"Meta\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2025-AVI-1131
Vulnerability from certfr_avis - Published: 2025-12-19 - Updated: 2025-12-19
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Db2 Warehouse | Db2 Warehouse on Cloud Pak for Data versions antérieures à 5.3.0 | ||
| IBM | QRadar SIEM | QRadar SIEM versions 7.5.0 versions antérieures à 7.5.0 UP14 IF03 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct Web Services versions 6.3.0.x antérieures à 6.3.0.16 | ||
| IBM | QRadar | QRadar Suite Software versions 1.11.x antérieures à 1.11.8.0 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct Web Services versions 6.4.0.x antérieures à 6.4.0.5 | ||
| IBM | Sterling Partner Engagement Manager Standard Edition | Sterling Partner Engagement Manager Standard Edition versions 6.2.4.x antérieures à 6.2.4.5 | ||
| IBM | Sterling Partner Engagement Manager Standard Edition | Sterling Partner Engagement Manager Standard Edition versions 6.2.3.x antérieures à 6.2.3.5 | ||
| IBM | Db2 | Db2 on Cloud Pak for Data versions antérieures à 5.3.0 | ||
| IBM | Cognos Dashboards | Cognos Dashboards on Cloud Pak for Data versions 5.x antérieures à 5.3 | ||
| IBM | Db2 | Db2 Intelligence Center versions 1.1.x antérieures à 1.1.3.0 | ||
| IBM | Sterling Partner Engagement Manager Essentials Edition | Sterling Partner Engagement Manager Essentials Edition versions 6.2.4.x antérieures à 6.2.4.2 | ||
| IBM | Sterling Partner Engagement Manager Essentials Edition | Sterling Partner Engagement Manager Essentials Edition versions 6.2.3.x antérieures à 6.2.3.5 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Db2 Warehouse on Cloud Pak for Data versions ant\u00e9rieures \u00e0 5.3.0",
"product": {
"name": "Db2 Warehouse",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.0 versions ant\u00e9rieures \u00e0 7.5.0 UP14 IF03",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct Web Services versions 6.3.0.x ant\u00e9rieures \u00e0 6.3.0.16",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions 1.11.x ant\u00e9rieures \u00e0 1.11.8.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct Web Services versions 6.4.0.x ant\u00e9rieures \u00e0 6.4.0.5",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.4.x ant\u00e9rieures \u00e0 6.2.4.5 ",
"product": {
"name": "Sterling Partner Engagement Manager Standard Edition",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Partner Engagement Manager Standard Edition versions 6.2.3.x ant\u00e9rieures \u00e0 6.2.3.5 ",
"product": {
"name": "Sterling Partner Engagement Manager Standard Edition",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 on Cloud Pak for Data versions ant\u00e9rieures \u00e0 5.3.0",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cognos Dashboards on Cloud Pak for Data versions 5.x ant\u00e9rieures \u00e0 5.3",
"product": {
"name": "Cognos Dashboards",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 Intelligence Center versions 1.1.x ant\u00e9rieures \u00e0 1.1.3.0",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.4.x ant\u00e9rieures \u00e0 6.2.4.2",
"product": {
"name": "Sterling Partner Engagement Manager Essentials Edition",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Partner Engagement Manager Essentials Edition versions 6.2.3.x ant\u00e9rieures \u00e0 6.2.3.5",
"product": {
"name": "Sterling Partner Engagement Manager Essentials Edition",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-6395",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6395"
},
{
"name": "CVE-2025-2534",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-2534"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2025-4447",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4447"
},
{
"name": "CVE-2024-38286",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38286"
},
{
"name": "CVE-2025-8941",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8941"
},
{
"name": "CVE-2021-26272",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-26272"
},
{
"name": "CVE-2025-41234",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41234"
},
{
"name": "CVE-2025-39761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39761"
},
{
"name": "CVE-2024-49350",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49350"
},
{
"name": "CVE-2025-39883",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39883"
},
{
"name": "CVE-2025-36131",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-36131"
},
{
"name": "CVE-2025-0913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0913"
},
{
"name": "CVE-2025-47907",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
},
{
"name": "CVE-2024-12797",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12797"
},
{
"name": "CVE-2025-30065",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30065"
},
{
"name": "CVE-2024-47118",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47118"
},
{
"name": "CVE-2021-2341",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2341"
},
{
"name": "CVE-2022-45061",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45061"
},
{
"name": "CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"name": "CVE-2021-47621",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47621"
},
{
"name": "CVE-2025-24970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
},
{
"name": "CVE-2022-21299",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21299"
},
{
"name": "CVE-2024-45341",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45341"
},
{
"name": "CVE-2025-7962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7962"
},
{
"name": "CVE-2025-61912",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61912"
},
{
"name": "CVE-2022-21305",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21305"
},
{
"name": "CVE-2025-55198",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55198"
},
{
"name": "CVE-2025-5372",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5372"
},
{
"name": "CVE-2025-58057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
},
{
"name": "CVE-2022-25927",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25927"
},
{
"name": "CVE-2024-26308",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
},
{
"name": "CVE-2025-1992",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1992"
},
{
"name": "CVE-2024-34158",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34158"
},
{
"name": "CVE-2025-30754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30754"
},
{
"name": "CVE-2025-22233",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22233"
},
{
"name": "CVE-2025-36136",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-36136"
},
{
"name": "CVE-2025-38724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38724"
},
{
"name": "CVE-2020-9493",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9493"
},
{
"name": "CVE-2025-36008",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-36008"
},
{
"name": "CVE-2024-38820",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38820"
},
{
"name": "CVE-2025-47906",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47906"
},
{
"name": "CVE-2025-39718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39718"
},
{
"name": "CVE-2025-59375",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59375"
},
{
"name": "CVE-2024-23454",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23454"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2025-58188",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58188"
},
{
"name": "CVE-2025-36006",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-36006"
},
{
"name": "CVE-2023-34055",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34055"
},
{
"name": "CVE-2025-36186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-36186"
},
{
"name": "CVE-2025-55182",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55182"
},
{
"name": "CVE-2025-38079",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38079"
},
{
"name": "CVE-2025-6493",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6493"
},
{
"name": "CVE-2025-6020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6020"
},
{
"name": "CVE-2021-2369",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2369"
},
{
"name": "CVE-2025-22868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22868"
},
{
"name": "CVE-2025-33012",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-33012"
},
{
"name": "CVE-2024-56337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56337"
},
{
"name": "CVE-2025-5187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5187"
},
{
"name": "CVE-2025-61723",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61723"
},
{
"name": "CVE-2025-41235",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41235"
},
{
"name": "CVE-2025-21587",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21587"
},
{
"name": "CVE-2023-53539",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53539"
},
{
"name": "CVE-2024-25710",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
},
{
"name": "CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"name": "CVE-2025-61725",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61725"
},
{
"name": "CVE-2021-2388",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2388"
},
{
"name": "CVE-2025-39955",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39955"
},
{
"name": "CVE-2025-32990",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32990"
},
{
"name": "CVE-2025-2518",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-2518"
},
{
"name": "CVE-2024-41946",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41946"
},
{
"name": "CVE-2022-21365",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21365"
},
{
"name": "CVE-2025-32989",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32989"
},
{
"name": "CVE-2024-38827",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38827"
},
{
"name": "CVE-2025-38292",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38292"
},
{
"name": "CVE-2025-50059",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-50059"
},
{
"name": "CVE-2025-55199",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55199"
},
{
"name": "CVE-2024-34156",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34156"
},
{
"name": "CVE-2018-10237",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10237"
},
{
"name": "CVE-2025-59250",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59250"
},
{
"name": "CVE-2025-1493",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1493"
},
{
"name": "CVE-2025-30761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30761"
},
{
"name": "CVE-2024-47535",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47535"
},
{
"name": "CVE-2025-3050",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-3050"
},
{
"name": "CVE-2022-21294",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21294"
},
{
"name": "CVE-2025-1767",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1767"
},
{
"name": "CVE-2021-26271",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-26271"
},
{
"name": "CVE-2025-30698",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30698"
},
{
"name": "CVE-2024-38821",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38821"
},
{
"name": "CVE-2025-58187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58187"
},
{
"name": "CVE-2025-39825",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39825"
},
{
"name": "CVE-2025-22871",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22871"
},
{
"name": "CVE-2025-32988",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32988"
},
{
"name": "CVE-2024-34750",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34750"
},
{
"name": "CVE-2022-21341",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21341"
},
{
"name": "CVE-2023-53401",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53401"
},
{
"name": "CVE-2025-47913",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47913"
},
{
"name": "CVE-2020-8908",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8908"
},
{
"name": "CVE-2025-24294",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24294"
},
{
"name": "CVE-2025-0915",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0915"
},
{
"name": "CVE-2022-21340",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21340"
},
{
"name": "CVE-2022-21293",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21293"
},
{
"name": "CVE-2025-38351",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38351"
},
{
"name": "CVE-2025-25193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
},
{
"name": "CVE-2024-52903",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52903"
},
{
"name": "CVE-2022-21282",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21282"
},
{
"name": "CVE-2022-21349",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21349"
},
{
"name": "CVE-2025-32415",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32415"
},
{
"name": "CVE-2025-46653",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-46653"
},
{
"name": "CVE-2025-22235",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22235"
},
{
"name": "CVE-2021-28861",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28861"
},
{
"name": "CVE-2022-21248",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21248"
},
{
"name": "CVE-2018-14721",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14721"
},
{
"name": "CVE-2025-32414",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-32414"
},
{
"name": "CVE-2025-2900",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-2900"
},
{
"name": "CVE-2025-0426",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0426"
},
{
"name": "CVE-2020-9281",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9281"
},
{
"name": "CVE-2024-50301",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50301"
},
{
"name": "CVE-2023-2976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
},
{
"name": "CVE-2025-1000",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1000"
},
{
"name": "CVE-2022-3697",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3697"
},
{
"name": "CVE-2025-8058",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8058"
},
{
"name": "CVE-2023-53513",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53513"
},
{
"name": "CVE-2025-33134",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-33134"
},
{
"name": "CVE-2024-50379",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-50379"
},
{
"name": "CVE-2025-5914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5914"
},
{
"name": "CVE-2023-39804",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39804"
},
{
"name": "CVE-2025-58754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58754"
},
{
"name": "CVE-2025-53057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53057"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"name": "CVE-2024-22354",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
},
{
"name": "CVE-2024-34155",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34155"
},
{
"name": "CVE-2024-41123",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41123"
},
{
"name": "CVE-2025-6442",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6442"
},
{
"name": "CVE-2025-53066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53066"
},
{
"name": "CVE-2022-50543",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50543"
},
{
"name": "CVE-2025-22227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22227"
},
{
"name": "CVE-2025-47273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47273"
},
{
"name": "CVE-2022-21360",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21360"
},
{
"name": "CVE-2025-61911",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61911"
},
{
"name": "CVE-2022-21296",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21296"
},
{
"name": "CVE-2025-14687",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14687"
},
{
"name": "CVE-2016-1000027",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000027"
},
{
"name": "CVE-2025-47287",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47287"
},
{
"name": "CVE-2024-49761",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49761"
},
{
"name": "CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
},
{
"name": "CVE-2025-36185",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-36185"
},
{
"name": "CVE-2025-48734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
}
],
"initial_release_date": "2025-12-19T00:00:00",
"last_revision_date": "2025-12-19T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1131",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-19T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2025-12-15",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7252732",
"url": "https://www.ibm.com/support/pages/node/7252732"
},
{
"published_at": "2025-12-15",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7254815",
"url": "https://www.ibm.com/support/pages/node/7254815"
},
{
"published_at": "2025-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255060",
"url": "https://www.ibm.com/support/pages/node/7255060"
},
{
"published_at": "2025-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255154",
"url": "https://www.ibm.com/support/pages/node/7255154"
},
{
"published_at": "2025-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255095",
"url": "https://www.ibm.com/support/pages/node/7255095"
},
{
"published_at": "2025-12-16",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7254849",
"url": "https://www.ibm.com/support/pages/node/7254849"
},
{
"published_at": "2025-12-16",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7254850",
"url": "https://www.ibm.com/support/pages/node/7254850"
},
{
"published_at": "2025-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255160",
"url": "https://www.ibm.com/support/pages/node/7255160"
},
{
"published_at": "2025-12-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255065",
"url": "https://www.ibm.com/support/pages/node/7255065"
}
]
}
CERTFR-2025-AVI-1137
Vulnerability from certfr_avis - Published: 2025-12-26 - Updated: 2025-12-26
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Security QRadar Network Threat | Security QRadar Network Threat Analytics versions postérieures ou égales à 1.3.1 et antérieures à 1.4.2 | ||
| IBM | QRadar SIEM | Security QRadar Analyst Workflow versions postérieures à 2.32.0 et antérieures à 3.0.1 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct File Agent pour Solaris SPARC versions 1.4.x antérieures à 1.4.0.5_iFix002 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct File Agent pour AIX, Linux x64, Linux PPC et Windows versions postérieures à 1.4.0.2 et antérieures à 1.4.0.5_iFix001 | ||
| IBM | WebSphere | WebSphere Service Registry and Repository Studio versions 8.5.x antérieures à V8.5.6.3_IJ56659 | ||
| IBM | Db2 | Db2 Big SQL versions postérieures à 7.2.x sur Cloud Pack for Data 4.x versions antérieures à 7.7.3 sur Cloud Pack for Data 5.0.3 | ||
| IBM | WebSphere | WebSphere Service Registry and Repository sans les derniers correctifs de sécurité | ||
| IBM | Security QRadar SIEM | QRadar User Behavior Analytics versions postérieurs à 4.1.15 et antérieures à 5.0.3 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Security QRadar Network Threat Analytics versions post\u00e9rieures ou \u00e9gales \u00e0 1.3.1 et ant\u00e9rieures \u00e0 1.4.2",
"product": {
"name": "Security QRadar Network Threat",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Security QRadar Analyst Workflow versions post\u00e9rieures \u00e0 2.32.0 et ant\u00e9rieures \u00e0 3.0.1",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct File Agent pour Solaris SPARC versions 1.4.x ant\u00e9rieures \u00e0 1.4.0.5_iFix002 ",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct File Agent pour AIX, Linux x64, Linux PPC et Windows versions post\u00e9rieures \u00e0 1.4.0.2 et ant\u00e9rieures \u00e0 1.4.0.5_iFix001",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Service Registry and Repository Studio versions 8.5.x ant\u00e9rieures \u00e0 V8.5.6.3_IJ56659",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": " Db2 Big SQL versions post\u00e9rieures \u00e0 7.2.x sur Cloud Pack for Data 4.x versions ant\u00e9rieures \u00e0 7.7.3 sur Cloud Pack for Data 5.0.3",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Service Registry and Repository sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar User Behavior Analytics versions post\u00e9rieurs \u00e0 4.1.15 et ant\u00e9rieures \u00e0 5.0.3",
"product": {
"name": "Security QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2015-2327",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2327"
},
{
"name": "CVE-2023-43642",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43642"
},
{
"name": "CVE-2024-37891",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37891"
},
{
"name": "CVE-2023-38264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38264"
},
{
"name": "CVE-2015-8383",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8383"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2025-4447",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-4447"
},
{
"name": "CVE-2024-20926",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20926"
},
{
"name": "CVE-2023-46167",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-46167"
},
{
"name": "CVE-2025-47279",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47279"
},
{
"name": "CVE-2023-45178",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45178"
},
{
"name": "CVE-2021-23440",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23440"
},
{
"name": "CVE-2023-47701",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47701"
},
{
"name": "CVE-2023-40687",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40687"
},
{
"name": "CVE-2015-8381",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8381"
},
{
"name": "CVE-2015-8392",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8392"
},
{
"name": "CVE-2024-20921",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20921"
},
{
"name": "CVE-2015-8395",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8395"
},
{
"name": "CVE-2025-54798",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54798"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2015-8393",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8393"
},
{
"name": "CVE-2024-33883",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-33883"
},
{
"name": "CVE-2023-22081",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22081"
},
{
"name": "CVE-2025-57822",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57822"
},
{
"name": "CVE-2025-67779",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67779"
},
{
"name": "CVE-2025-55183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55183"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2023-22067",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22067"
},
{
"name": "CVE-2025-55173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55173"
},
{
"name": "CVE-2025-48068",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48068"
},
{
"name": "CVE-2025-7783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7783"
},
{
"name": "CVE-2025-55182",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55182"
},
{
"name": "CVE-2025-57752",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-57752"
},
{
"name": "CVE-2015-8388",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8388"
},
{
"name": "CVE-2018-25032",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-25032"
},
{
"name": "CVE-2023-40692",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-40692"
},
{
"name": "CVE-2023-38003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38003"
},
{
"name": "CVE-2025-21587",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-21587"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2024-35195",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35195"
},
{
"name": "CVE-2025-9288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9288"
},
{
"name": "CVE-2023-33850",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33850"
},
{
"name": "CVE-2015-8385",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8385"
},
{
"name": "CVE-2015-8394",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8394"
},
{
"name": "CVE-2015-8391",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8391"
},
{
"name": "CVE-2015-8386",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8386"
},
{
"name": "CVE-2015-8384",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8384"
},
{
"name": "CVE-2025-30698",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-30698"
},
{
"name": "CVE-2015-8387",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8387"
},
{
"name": "CVE-2023-38727",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38727"
},
{
"name": "CVE-2023-22049",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22049"
},
{
"name": "CVE-2023-29258",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-29258"
},
{
"name": "CVE-2025-29927",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-29927"
},
{
"name": "CVE-2023-5676",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5676"
},
{
"name": "CVE-2002-0059",
"url": "https://www.cve.org/CVERecord?id=CVE-2002-0059"
},
{
"name": "CVE-2023-43020",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43020"
},
{
"name": "CVE-2024-39338",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39338"
},
{
"name": "CVE-2025-5889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5889"
},
{
"name": "CVE-2023-32731",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-32731"
},
{
"name": "CVE-2025-27789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27789"
},
{
"name": "CVE-2015-2328",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-2328"
},
{
"name": "CVE-2024-20918",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20918"
},
{
"name": "CVE-2020-14155",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14155"
},
{
"name": "CVE-2025-64756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64756"
},
{
"name": "CVE-2015-8390",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8390"
},
{
"name": "CVE-2024-21085",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21085"
},
{
"name": "CVE-2024-20945",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20945"
},
{
"name": "CVE-2025-53057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53057"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"name": "CVE-2025-53066",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53066"
},
{
"name": "CVE-2025-55184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55184"
},
{
"name": "CVE-2024-20952",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-20952"
}
],
"initial_release_date": "2025-12-26T00:00:00",
"last_revision_date": "2025-12-26T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1137",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-26T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2025-12-19",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255497",
"url": "https://www.ibm.com/support/pages/node/7255497"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255727",
"url": "https://www.ibm.com/support/pages/node/7255727"
},
{
"published_at": "2025-12-19",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255495",
"url": "https://www.ibm.com/support/pages/node/7255495"
},
{
"published_at": "2025-12-19",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255496",
"url": "https://www.ibm.com/support/pages/node/7255496"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255723",
"url": "https://www.ibm.com/support/pages/node/7255723"
},
{
"published_at": "2025-12-22",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255557",
"url": "https://www.ibm.com/support/pages/node/7255557"
},
{
"published_at": "2025-12-19",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255410",
"url": "https://www.ibm.com/support/pages/node/7255410"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255729",
"url": "https://www.ibm.com/support/pages/node/7255729"
},
{
"published_at": "2025-12-22",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255556",
"url": "https://www.ibm.com/support/pages/node/7255556"
},
{
"published_at": "2025-12-23",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7255731",
"url": "https://www.ibm.com/support/pages/node/7255731"
}
]
}
CERTFR-2025-ALE-014
Vulnerability from certfr_alerte - Published: 2025-12-05 - Updated: 2026-02-12
[Mise à jour du 11 décembre 2025]
Le CERT-FR a connaissance de multiples exploitations de la vulnérabilité CVE-2025-55182. Les serveurs avec une version vulnérable exposés après la publication des preuves de concept publiques du 5 décembre 2025 doivent être considérés comme compromis.
Certains billets de blogues [1] [2] incluent des indicateurs de compromission. Ces indicateurs n'ont pas été qualifiés par le CERT-FR.
[Mise à jour du 08 décembre 2025]
Le CERT-FR a connaissance d'exploitations pour la vulnérabilité CVE-2025-55182.
[Publication initiale]
Le 3 décembre 2025, React a publié un avis de sécurité relatif à la vulnérabilité CVE-2025-55182 affectant React Server Components et qui permet à un attaquant non authentifié de provoquer une exécution de code arbitraire à distance. L'éditeur de Next.js a également publié un avis de sécurité faisant référence à l'identifiant CVE-2025-66478. Cet identifiant a été rejeté en raison du doublon avec l'identifiant utilisé par React. Cette faille de sécurité est également connue sous le nom de React2Shell.
Cette vulnérabilité concerne plus précisément les React Server Functions. Même si une application n'utilise pas explicitement de telles fonctions, elle peut être vulnérable si elle supporte les React Server Components. En particulier, plusieurs cadriciels tels que Next.js implémentent de telles fonctions par défaut.
Les technologies React Server Components et React Server Functions sont relativement récentes (la version 19 de React a été publiée fin 2024) et toutes les applications utilisant la technologie React ne sont ainsi pas nécessairement affectées. Veuillez vous référer à la section systèmes affectés pour plus d'informations.
Le CERT-FR a connaissance de preuves de concept publiques pour cette vulnérabilité et anticipe des exploitations en masse.
Note : Le CERT-FR a connaissance de la mise en place de règles de blocages de la vulnérabilité au niveau de plusieurs pare-feu applicatifs web populaires. Bien que ces mécanismes puissent rendre l'exploitation de la vulnérabilité plus difficile, ils ne peuvent pas remplacer une mise à jour vers une version corrective.
Solutions
Le CERT-FR recommande de mettre à jour au plus vite les composants vers les versions correctives listées dans les avis éditeurs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| N/A | N/A | Expo sans les versions correctives de react-server-dom-webpack | ||
| N/A | N/A | Redwood SDK versions antérieures à 1.0.0-alpha.0 | ||
| Vercel | Next.js | Next.js versions 15.0.x antérieures à 15.0.5 | ||
| N/A | N/A | Waku sans les versions correctives de react-server-dom-webpack | ||
| Vercel | Next.js | Next.js versions 15.1.x antérieures à 15.1.9 | ||
| Vercel | Next.js | Next.js versions 15.5.x antérieures à 15.5.7 | ||
| Meta | React | react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.2.x antérieures à 19.2.1 | ||
| Vercel | Next.js | Next.js versions 14.x canary | ||
| Vercel | Next.js | Next.js versions 15.3.x antérieures à 15.3.6 | ||
| N/A | N/A | React router avec le support de l'API RSC sans les derniers correctifs de sécurité | ||
| Meta | React | react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.0.x antérieures à 19.0.1 | ||
| Vercel | Next.js | Next.js versions 15.4.x antérieures à 15.4.8 | ||
| Meta | React | react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.1.x antérieures à 19.1.2 | ||
| Vercel | Next.js | Next.js versions 16.0.x antérieures à 16.0.7 | ||
| N/A | N/A | Vitejs avec le greffon plugin-rsc sans les derniers correctifs de sécurité | ||
| Vercel | Next.js | Next.js versions 15.2.x antérieures à 15.2.6 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Expo sans les versions correctives de react-server-dom-webpack",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Redwood SDK versions ant\u00e9rieures \u00e0 1.0.0-alpha.0",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Next.js versions 15.0.x ant\u00e9rieures \u00e0 15.0.5",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "Waku sans les versions correctives de react-server-dom-webpack",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Next.js versions 15.1.x ant\u00e9rieures \u00e0 15.1.9",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "Next.js versions 15.5.x ant\u00e9rieures \u00e0 15.5.7",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.2.x ant\u00e9rieures \u00e0 19.2.1",
"product": {
"name": "React",
"vendor": {
"name": "Meta",
"scada": false
}
}
},
{
"description": "Next.js versions 14.x canary",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "Next.js versions 15.3.x ant\u00e9rieures \u00e0 15.3.6",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "React router avec le support de l\u0027API RSC sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.0.x ant\u00e9rieures \u00e0 19.0.1",
"product": {
"name": "React",
"vendor": {
"name": "Meta",
"scada": false
}
}
},
{
"description": "Next.js versions 15.4.x ant\u00e9rieures \u00e0 15.4.8",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.1.x ant\u00e9rieures \u00e0 19.1.2",
"product": {
"name": "React",
"vendor": {
"name": "Meta",
"scada": false
}
}
},
{
"description": "Next.js versions 16.0.x ant\u00e9rieures \u00e0 16.0.7",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "Vitejs avec le greffon plugin-rsc sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Next.js versions 15.2.x ant\u00e9rieures \u00e0 15.2.6",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
}
],
"affected_systems_content": "",
"closed_at": "2026-02-12",
"content": "## Solutions\n\nLe CERT-FR recommande de mettre \u00e0 jour au plus vite les composants vers les versions correctives list\u00e9es dans les avis \u00e9diteurs (cf. section Documentation). ",
"cves": [
{
"name": "CVE-2025-55182",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55182"
},
{
"name": "CVE-2025-66478",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66478"
}
],
"initial_release_date": "2025-12-05T00:00:00",
"last_revision_date": "2026-02-12T00:00:00",
"links": [
{
"title": "[2] Billet de Blogue de Huntress, analyse et indicateurs de compromission",
"url": "https://www.huntress.com/blog/peerblight-linux-backdoor-exploits-react2shell"
},
{
"title": "Bulletin d\u0027actualit\u00e9 CERTFR-2025-ACT-053 du 04 d\u00e9cembre 2025",
"url": "https://cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-053/"
},
{
"title": "[1] Billet de Blogue de Wiz.io, analyse et indicateurs de compromission ",
"url": "https://www.wiz.io/blog/nextjs-cve-2025-55182-react2shell-deep-dive"
},
{
"title": "Compromission syst\u00e8me - Qualification",
"url": "https://www.cert.ssi.gouv.fr/fiche/CERTFR-2024-RFX-005/"
},
{
"title": "Compromission syst\u00e8me - Endiguement",
"url": "https://www.cert.ssi.gouv.fr/fiche/CERTFR-2024-RFX-006/"
}
],
"reference": "CERTFR-2025-ALE-014",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-05T00:00:00.000000"
},
{
"description": "Recherche de compromission, r\u00e9f\u00e9rences des fiches syst\u00e8me de qualification et endiguement",
"revision_date": "2025-12-11T00:00:00.000000"
},
{
"description": "connaissance d\u0027exploitations pour la vuln\u00e9rabilit\u00e9 CVE-2025-55182",
"revision_date": "2025-12-08T00:00:00.000000"
},
{
"description": " Cl\u00f4ture de l\u0027alerte. Cela ne signifie pas la fin d\u0027une menace. Seule l\u0027application de la mise \u00e0 jour permet de vous pr\u00e9munir contre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 correspondante.",
"revision_date": "2026-02-12T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "**\u003cspan class=\"important-content\"\u003e[Mise \u00e0 jour du 11 d\u00e9cembre 2025]\u003c/span\u003e**\n\nLe CERT-FR a connaissance de multiples exploitations de la vuln\u00e9rabilit\u00e9 CVE-2025-55182. Les serveurs avec une version vuln\u00e9rable expos\u00e9s apr\u00e8s la publication des preuves de concept publiques du 5 d\u00e9cembre 2025 doivent \u00eatre consid\u00e9r\u00e9s comme compromis.\n\nCertains billets de blogues [1] [2] incluent des indicateurs de compromission. Ces indicateurs n\u0027ont pas \u00e9t\u00e9 qualifi\u00e9s par le CERT-FR.\n\n\n**[Mise \u00e0 jour du 08 d\u00e9cembre 2025]**\n\nLe CERT-FR a connaissance d\u0027exploitations pour la vuln\u00e9rabilit\u00e9 CVE-2025-55182.\n\n**[Publication initiale]**\n\nLe 3 d\u00e9cembre 2025, React a publi\u00e9 un avis de s\u00e9curit\u00e9 relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-55182 affectant React Server Components et qui permet \u00e0 un attaquant non authentifi\u00e9 de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance. L\u0027\u00e9diteur de Next.js a \u00e9galement publi\u00e9 un avis de s\u00e9curit\u00e9 faisant r\u00e9f\u00e9rence \u00e0 l\u0027identifiant CVE-2025-66478. Cet identifiant a \u00e9t\u00e9 rejet\u00e9 en raison du doublon avec l\u0027identifiant utilis\u00e9 par React. Cette faille de s\u00e9curit\u00e9 est \u00e9galement connue sous le nom de *React2Shell*. \n\nCette vuln\u00e9rabilit\u00e9 concerne plus pr\u00e9cis\u00e9ment les React Server Functions. M\u00eame si une application n\u0027utilise pas explicitement de telles fonctions, elle peut \u00eatre vuln\u00e9rable si elle supporte les React Server Components. En particulier, plusieurs cadriciels tels que Next.js impl\u00e9mentent de telles fonctions par d\u00e9faut. \n\nLes technologies React Server Components et React Server Functions sont relativement r\u00e9centes (la version 19 de React a \u00e9t\u00e9 publi\u00e9e fin 2024) et toutes les applications utilisant la technologie React ne sont ainsi pas n\u00e9cessairement affect\u00e9es. Veuillez vous r\u00e9f\u00e9rer \u00e0 la section syst\u00e8mes affect\u00e9s pour plus d\u0027informations.\n\nLe CERT-FR a connaissance de preuves de concept publiques pour cette vuln\u00e9rabilit\u00e9 et anticipe des exploitations en masse.\n\n*Note : Le CERT-FR a connaissance de la mise en place de r\u00e8gles de blocages de la vuln\u00e9rabilit\u00e9 au niveau de plusieurs pare-feu applicatifs web populaires. Bien que ces m\u00e9canismes puissent rendre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 plus difficile, ils ne peuvent pas remplacer une mise \u00e0 jour vers une version corrective.* ",
"title": "[M\u00e0J] Vuln\u00e9rabilit\u00e9 dans React Server Components",
"vendor_advisories": [
{
"published_at": "2025-12-03",
"title": "Billet de blogue React relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-55182",
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
},
{
"published_at": "2025-12-03",
"title": "Billet de blogue Vercel relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-55182",
"url": "https://vercel.com/changelog/cve-2025-55182"
},
{
"published_at": "2025-12-03",
"title": "Bulletin de s\u00e9curit\u00e9 Facebook CVE-2025-55182",
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
}
]
}
CNVD-2025-29924
Vulnerability from cnvd - Published: 2025-12-04
VLAI Severity ?
Title
Meta React Server Components远程代码执行漏洞
Description
React Server Components是React框架中的一种新组件模型,它允许组件在服务器上运行并渲染,并不在客户端浏览器中执行。
Meta React Server Components存在远程代码执行漏洞,该漏洞源于解析客户端提交的表单时缺少安全校验,攻击者可利用该漏洞构造恶意表单请求,直接调用Node.js内置模块,从而在服务器上执行任意系统命令、读写任意文件,甚至完全接管服务。
Severity
高
Patch Name
Meta React Server Components远程代码执行漏洞的补丁
Patch Description
React Server Components是React框架中的一种新组件模型,它允许组件在服务器上运行并渲染,并不在客户端浏览器中执行。
Meta React Server Components存在远程代码执行漏洞,该漏洞源于解析客户端提交的表单时缺少安全校验,攻击者可利用该漏洞构造恶意表单请求,直接调用Node.js内置模块,从而在服务器上执行任意系统命令、读写任意文件,甚至完全接管服务。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级程序修复该安全问题,详情见厂商官网: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
Impacted products
| Name | ['Meta React Server Components 19.0.0', 'Meta React Server Components 19.0.1', 'Meta React Server Components 19.1.*', 'Meta React Server Components 19.2.0'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2025-55182"
}
},
"description": "React Server Components\u662fReact\u6846\u67b6\u4e2d\u7684\u4e00\u79cd\u65b0\u7ec4\u4ef6\u6a21\u578b\uff0c\u5b83\u5141\u8bb8\u7ec4\u4ef6\u5728\u670d\u52a1\u5668\u4e0a\u8fd0\u884c\u5e76\u6e32\u67d3\uff0c\u5e76\u4e0d\u5728\u5ba2\u6237\u7aef\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u3002\n\nMeta React Server Components\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u89e3\u6790\u5ba2\u6237\u7aef\u63d0\u4ea4\u7684\u8868\u5355\u65f6\u7f3a\u5c11\u5b89\u5168\u6821\u9a8c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6784\u9020\u6076\u610f\u8868\u5355\u8bf7\u6c42\uff0c\u76f4\u63a5\u8c03\u7528Node.js\u5185\u7f6e\u6a21\u5757\uff0c\u4ece\u800c\u5728\u670d\u52a1\u5668\u4e0a\u6267\u884c\u4efb\u610f\u7cfb\u7edf\u547d\u4ee4\u3001\u8bfb\u5199\u4efb\u610f\u6587\u4ef6\uff0c\u751a\u81f3\u5b8c\u5168\u63a5\u7ba1\u670d\u52a1\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51:\r\nhttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2025-29924",
"openTime": "2025-12-04",
"patchDescription": "React Server Components\u662fReact\u6846\u67b6\u4e2d\u7684\u4e00\u79cd\u65b0\u7ec4\u4ef6\u6a21\u578b\uff0c\u5b83\u5141\u8bb8\u7ec4\u4ef6\u5728\u670d\u52a1\u5668\u4e0a\u8fd0\u884c\u5e76\u6e32\u67d3\uff0c\u5e76\u4e0d\u5728\u5ba2\u6237\u7aef\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u3002\r\n\r\nMeta React Server Components\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u89e3\u6790\u5ba2\u6237\u7aef\u63d0\u4ea4\u7684\u8868\u5355\u65f6\u7f3a\u5c11\u5b89\u5168\u6821\u9a8c\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6784\u9020\u6076\u610f\u8868\u5355\u8bf7\u6c42\uff0c\u76f4\u63a5\u8c03\u7528Node.js\u5185\u7f6e\u6a21\u5757\uff0c\u4ece\u800c\u5728\u670d\u52a1\u5668\u4e0a\u6267\u884c\u4efb\u610f\u7cfb\u7edf\u547d\u4ee4\u3001\u8bfb\u5199\u4efb\u610f\u6587\u4ef6\uff0c\u751a\u81f3\u5b8c\u5168\u63a5\u7ba1\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Meta React Server Components\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Meta React Server Components 19.0.0",
"Meta React Server Components 19.0.1",
"Meta React Server Components 19.1.*",
"Meta React Server Components 19.2.0"
]
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182",
"serverity": "\u9ad8",
"submitTime": "2025-12-04",
"title": "Meta React Server Components\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}
FKIE_CVE-2025-55182
Vulnerability from fkie_nvd - Published: 2025-12-03 16:15 - Updated: 2025-12-10 02:00
Severity ?
Summary
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
References
Impacted products
{
"cisaActionDue": "2025-12-12",
"cisaExploitAdd": "2025-12-05",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Meta React Server Components Remote Code Execution Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:facebook:react:19.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C66E1B0F-8C3F-4D27-9F46-B6EC78D8C60B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:19.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C6C1C3E2-542D-4001-BFA9-6CF5A038971D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:19.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A0907E1C-E2D2-44A4-AA46-CE80BCA4E015",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:facebook:react:19.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0030B5E1-E79E-4C48-B500-91747FE2751D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "FC2BCD83-CC87-4CDC-AD9B-2055912A8463",
"versionEndExcluding": "15.0.5",
"versionStartIncluding": "15.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "C5E767D4-E46F-4CA6-A22F-4D0671B9B102",
"versionEndExcluding": "15.1.9",
"versionStartIncluding": "15.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "5EFB6CB7-4A4F-464A-A1D8-62B50DF0B4BA",
"versionEndExcluding": "15.2.6",
"versionStartIncluding": "15.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "83AF54D7-410D-42B4-853A-8A1973636542",
"versionEndExcluding": "15.3.6",
"versionStartIncluding": "15.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "3D666EA7-BDAE-4E67-A331-B7403C3AA482",
"versionEndExcluding": "15.4.8",
"versionStartIncluding": "15.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "E666ECDA-7A29-4D3D-AC40-357F044AD595",
"versionEndExcluding": "15.5.7",
"versionStartIncluding": "15.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "CF65554E-4BF0-4344-AE7F-9E09E34E084F",
"versionEndExcluding": "16.0.7",
"versionStartIncluding": "16.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary77:*:*:*:node.js:*:*",
"matchCriteriaId": "B209A306-CE1A-448D-8653-7627302399B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary78:*:*:*:node.js:*:*",
"matchCriteriaId": "D1DCAC23-7ED0-456B-8AE2-57689199F708",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary79:*:*:*:node.js:*:*",
"matchCriteriaId": "8B35D612-AC2A-4697-934F-372E4D5EE3F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary80:*:*:*:node.js:*:*",
"matchCriteriaId": "A06D2291-5D89-4B76-99E0-52505634A63B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary81:*:*:*:node.js:*:*",
"matchCriteriaId": "8F01F07A-79F7-4F4B-8E3A-9C7D93C83A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary82:*:*:*:node.js:*:*",
"matchCriteriaId": "9EDA2864-F94B-48EB-98F3-FDBFCECCC4A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary83:*:*:*:node.js:*:*",
"matchCriteriaId": "4828BEE0-E891-491B-903D-A50B0E37273C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary84:*:*:*:node.js:*:*",
"matchCriteriaId": "55723BB4-E62B-4034-A434-485FE0E6BAF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary85:*:*:*:node.js:*:*",
"matchCriteriaId": "19F55784-CC11-4024-9A42-EFEEF7B2366F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary86:*:*:*:node.js:*:*",
"matchCriteriaId": "1D694B0A-9BCF-49C8-A787-B0AFE51C7DC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:14.3.0:canary87:*:*:*:node.js:*:*",
"matchCriteriaId": "C91F9508-E18D-4928-9DF5-DE2DDBEC56D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:-:*:*:*:node.js:*:*",
"matchCriteriaId": "3ED7F693-8012-4F88-BC71-CF108E20664A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary0:*:*:*:node.js:*:*",
"matchCriteriaId": "40EE98AC-754A-4FD9-B51A-9E2674584FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary1:*:*:*:node.js:*:*",
"matchCriteriaId": "13B41C54-AF21-4637-A852-F997635B4E83",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary10:*:*:*:node.js:*:*",
"matchCriteriaId": "91B41697-2D70-488D-A5C3-CB9D435560CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary11:*:*:*:node.js:*:*",
"matchCriteriaId": "7D43DB84-7BCF-429B-849A-7189EC1922D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary12:*:*:*:node.js:*:*",
"matchCriteriaId": "CEC2346B-8DBD-4D53-9866-CFBDD3AACEF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary13:*:*:*:node.js:*:*",
"matchCriteriaId": "2BC95097-8CA6-42FE-98D7-F968E37C11B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary14:*:*:*:node.js:*:*",
"matchCriteriaId": "4F8FA85C-1200-4FD2-B5D7-906300748BD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary15:*:*:*:node.js:*:*",
"matchCriteriaId": "5D0B177B-2A31-48E9-81C7-1024E2452486",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary16:*:*:*:node.js:*:*",
"matchCriteriaId": "7CCA01F3-3A14-4450-8A68-B1DA22C685B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary17:*:*:*:node.js:*:*",
"matchCriteriaId": "1AB351AE-8C29-4E67-8699-0AAC6B3383E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary18:*:*:*:node.js:*:*",
"matchCriteriaId": "14A34D9D-5FA2-434B-836E-3CE63D716CCB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary19:*:*:*:node.js:*:*",
"matchCriteriaId": "E8440F05-F32B-4D40-90B7-04BF22107D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary2:*:*:*:node.js:*:*",
"matchCriteriaId": "FB6C6F6D-1EC0-4BD9-97A4-CFDE70DF0C43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary20:*:*:*:node.js:*:*",
"matchCriteriaId": "6189BD4C-A3E2-451B-96B2-FF01250E946D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary21:*:*:*:node.js:*:*",
"matchCriteriaId": "389EE453-8B07-45DD-BE9C-277C9C5CB156",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary22:*:*:*:node.js:*:*",
"matchCriteriaId": "BA4D4638-4734-4B16-87AA-EF4B5D2DDD7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary23:*:*:*:node.js:*:*",
"matchCriteriaId": "D54A2E63-6E0C-4E17-86A8-459B0A7EE00B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary24:*:*:*:node.js:*:*",
"matchCriteriaId": "E6136F0A-3010-4BAD-811B-D047CF5E6F64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary25:*:*:*:node.js:*:*",
"matchCriteriaId": "525EFA40-B14B-47E9-8FBD-45721A802DB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary26:*:*:*:node.js:*:*",
"matchCriteriaId": "69142944-1EC0-4F94-862E-FA7F2E101101",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary27:*:*:*:node.js:*:*",
"matchCriteriaId": "30016C06-372D-4F98-84A8-0732CA054970",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary28:*:*:*:node.js:*:*",
"matchCriteriaId": "E1536E2B-84EC-46A3-9B6F-026364A9D927",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary29:*:*:*:node.js:*:*",
"matchCriteriaId": "5E6F1F60-30E2-407C-8152-EEEB7EFE24CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary3:*:*:*:node.js:*:*",
"matchCriteriaId": "3C907301-2C8F-465B-8134-94130E29F5DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary30:*:*:*:node.js:*:*",
"matchCriteriaId": "E81C89FD-40CB-471E-9967-90ACDCF79373",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary31:*:*:*:node.js:*:*",
"matchCriteriaId": "55E8AEEC-A686-49D6-B298-AEE4E838E769",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary32:*:*:*:node.js:*:*",
"matchCriteriaId": "CB0618EC-6A0B-4AC3-BF6D-E51AC84C4E15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary33:*:*:*:node.js:*:*",
"matchCriteriaId": "7B27F133-8EB4-4761-A706-DF42D4EB55F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary34:*:*:*:node.js:*:*",
"matchCriteriaId": "BF975472-B7E7-4AC8-B834-DA19897A4894",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary35:*:*:*:node.js:*:*",
"matchCriteriaId": "48A82613-F3FD-4E89-8E4A-F3F05A616171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary36:*:*:*:node.js:*:*",
"matchCriteriaId": "0D42CA1F-7C21-47C1-8A9C-1015286FCBE2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary37:*:*:*:node.js:*:*",
"matchCriteriaId": "7C83A4EF-B96F-40EC-BA1F-FE1370AF78AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary38:*:*:*:node.js:*:*",
"matchCriteriaId": "C151FDAB-DE34-4A7E-9762-6E99386798BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary39:*:*:*:node.js:*:*",
"matchCriteriaId": "53025212-05F0-41FE-81F8-023B1784BB8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary4:*:*:*:node.js:*:*",
"matchCriteriaId": "68EAC2B9-32A5-4721-BB35-16D519CD1BBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary40:*:*:*:node.js:*:*",
"matchCriteriaId": "7411EF71-CBEB-4127-935F-3C732A1E22AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary41:*:*:*:node.js:*:*",
"matchCriteriaId": "0C4B8930-1B65-4894-AFA8-C323AA7A8292",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary42:*:*:*:node.js:*:*",
"matchCriteriaId": "B4977345-BD8C-41C7-9DD7-1E41D6CC6438",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary43:*:*:*:node.js:*:*",
"matchCriteriaId": "EFE030A4-5B14-4C2D-B953-E80C98FB26EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary44:*:*:*:node.js:*:*",
"matchCriteriaId": "9F616FD4-83BF-4A9A-AFFD-0D3E2544DC7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary45:*:*:*:node.js:*:*",
"matchCriteriaId": "00512630-8B88-43B0-9ED3-2B33C64CC9A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary46:*:*:*:node.js:*:*",
"matchCriteriaId": "A88EEF11-C7DA-4E2D-A030-FC177E696557",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary47:*:*:*:node.js:*:*",
"matchCriteriaId": "BE8453D9-7275-4A5F-8732-F05662FFF2E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary48:*:*:*:node.js:*:*",
"matchCriteriaId": "E306B896-9BBB-424B-8D99-7A1A79AEFE9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary49:*:*:*:node.js:*:*",
"matchCriteriaId": "ACA87B86-33D5-4BEA-A13D-EEB4922D511E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary5:*:*:*:node.js:*:*",
"matchCriteriaId": "77AA0D23-B101-445C-A260-ED3152A93D17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary50:*:*:*:node.js:*:*",
"matchCriteriaId": "7D7DCCF7-FC83-4767-A0C2-C84A8B14F93B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary51:*:*:*:node.js:*:*",
"matchCriteriaId": "FD397568-7F1F-4153-AF08-B22D4D3B45F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary52:*:*:*:node.js:*:*",
"matchCriteriaId": "984416EF-B121-40CE-B3AD-E22A06BB5844",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary53:*:*:*:node.js:*:*",
"matchCriteriaId": "C4B58652-EE24-43CF-8ABE-4A01B2C9938C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary54:*:*:*:node.js:*:*",
"matchCriteriaId": "8090CF73-AEA7-43FC-A960-321BED3B1682",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary55:*:*:*:node.js:*:*",
"matchCriteriaId": "823164E5-609D-4F24-86A5-E25618FE86A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary56:*:*:*:node.js:*:*",
"matchCriteriaId": "E13CD688-63C3-4FFA-9D13-696005F0C155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary57:*:*:*:node.js:*:*",
"matchCriteriaId": "B397B18C-8A7A-4766-9A68-98B26E190A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary6:*:*:*:node.js:*:*",
"matchCriteriaId": "2DB345E3-BAD0-497E-93AE-5E4DC669C192",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary7:*:*:*:node.js:*:*",
"matchCriteriaId": "840FEB19-2C66-4004-A488-B90219F8AC05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary8:*:*:*:node.js:*:*",
"matchCriteriaId": "C260F966-73D7-43F3-A329-8C558A695821",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:15.6.0:canary9:*:*:*:node.js:*:*",
"matchCriteriaId": "28130A79-39B5-43E8-A690-C8E9C62483F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:16.0.0:-:*:*:*:node.js:*:*",
"matchCriteriaId": "5E8548AB-D9E8-4E65-AF24-9F9021F99834",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
}
],
"id": "CVE-2025-55182",
"lastModified": "2025-12-10T02:00:02.557",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "cve-assign@fb.com",
"type": "Secondary"
}
]
},
"published": "2025-12-03T16:15:56.463",
"references": [
{
"source": "cve-assign@fb.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
},
{
"source": "cve-assign@fb.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://news.ycombinator.com/item?id=46136026"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Third Party Advisory"
],
"url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
}
],
"sourceIdentifier": "cve-assign@fb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-FV66-9V8Q-G76R
Vulnerability from github – Published: 2025-12-03 19:07 – Updated: 2025-12-09 16:53
VLAI?
Summary
React Server Components are Vulnerable to RCE
Details
Impact
There is an unauthenticated remote code execution vulnerability in React Server Components.
We recommend upgrading immediately.
The vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of: * react-server-dom-webpack * react-server-dom-parcel * react-server-dom-turbopack
Patches
A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.
If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
References
See the blog post for more information and upgrade instructions.
Severity ?
10.0 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "react-server-dom-webpack"
},
"ranges": [
{
"events": [
{
"introduced": "19.0.0"
},
{
"fixed": "19.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"19.0.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "react-server-dom-webpack"
},
"ranges": [
{
"events": [
{
"introduced": "19.1.0"
},
{
"fixed": "19.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "react-server-dom-webpack"
},
"ranges": [
{
"events": [
{
"introduced": "19.2.0"
},
{
"fixed": "19.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"19.2.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "react-server-dom-turbopack"
},
"ranges": [
{
"events": [
{
"introduced": "19.0.0"
},
{
"fixed": "19.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"19.0.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "react-server-dom-turbopack"
},
"ranges": [
{
"events": [
{
"introduced": "19.1.0"
},
{
"fixed": "19.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "react-server-dom-turbopack"
},
"ranges": [
{
"events": [
{
"introduced": "19.2.0"
},
{
"fixed": "19.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"19.2.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "react-server-dom-parcel"
},
"ranges": [
{
"events": [
{
"introduced": "19.0.0"
},
{
"fixed": "19.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"19.0.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "react-server-dom-parcel"
},
"ranges": [
{
"events": [
{
"introduced": "19.1.0"
},
{
"fixed": "19.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "react-server-dom-parcel"
},
"ranges": [
{
"events": [
{
"introduced": "19.2.0"
},
{
"fixed": "19.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"19.2.0"
]
}
],
"aliases": [
"CVE-2025-55182"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-03T19:07:39Z",
"nvd_published_at": "2025-12-03T16:15:56Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app\u2019s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.",
"id": "GHSA-fv66-9v8q-g76r",
"modified": "2025-12-09T16:53:23Z",
"published": "2025-12-03T19:07:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
},
{
"type": "WEB",
"url": "https://github.com/facebook/react/pull/35277"
},
{
"type": "WEB",
"url": "https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700"
},
{
"type": "WEB",
"url": "https://github.com/ejpir/CVE-2025-55182-poc"
},
{
"type": "PACKAGE",
"url": "https://github.com/facebook/react"
},
{
"type": "WEB",
"url": "https://github.com/facebook/react/releases/tag/v19.0.1"
},
{
"type": "WEB",
"url": "https://github.com/facebook/react/releases/tag/v19.1.2"
},
{
"type": "WEB",
"url": "https://github.com/facebook/react/releases/tag/v19.2.1"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=46136026"
},
{
"type": "WEB",
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "React Server Components are Vulnerable to RCE"
}
CVE-2025-55182
Vulnerability from fstec - Published: 03.12.2025
VLAI Severity ?
Title
Уязвимость функции requireModule() пакетов react-server-dom-webpack, react-server-dom-parcel и react-server-dom-turbopack JavaScript библиотеки построения пользовательских интерфейсов React, позволяющая нарушителю выполнить произвольный код
Description
Уязвимость функции requireModule() пакетов react-server-dom-webpack, react-server-dom-parcel и react-server-dom-turbopack JavaScript библиотеки построения пользовательских интерфейсов React связана с недостатками механизма десериализации при обработке параметра hasOwnProperty. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код путем отправки специально сформированного HTTP-запроса
Severity ?
Vendor
Meta Platforms Inc, Vercel, Сообщество свободного программного обеспечения, The Vac Research Collective, Expo Software, Inc., RedwoodJS Core Team
Software Name
react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, Next.js, React Router, Waku, React, Expo, Redwood SDK
Software Version
до 19.0.1 (react-server-dom-webpack), до 19.1.2 (react-server-dom-webpack), до 19.2.1 (react-server-dom-webpack), до 19.0.1 (react-server-dom-parcel), до 19.1.2 (react-server-dom-parcel), до 19.2.1 (react-server-dom-parcel), до 19.0.1 (react-server-dom-turbopack), до 19.1.2 (react-server-dom-turbopack), до 19.2.1 (react-server-dom-turbopack), до 15.0.5 (Next.js), до 15.1.9 (Next.js), до 15.2.6 (Next.js), до 15.3.6 (Next.js), до 15.4.8 (Next.js), до 15.5.7 (Next.js), до 16.0.7 (Next.js), - (React Router), - (Waku), до 14.3.0-canary.77 включительно (Next.js), - (React), - (Expo), до 1.0.0-alpha.0 (Redwood SDK)
Possible Mitigations
Установка обновлений из доверенных источников. В связи со сложившейся обстановкой и введенными санкциями против Российской Федерации рекомендуется устанавливать обновления программного обеспечения только после оценки всех сопутствующих рисков.
Компенсирующие меры:
- использование нестандартных сетевых портов для доступа к серверу React (по умолчанию 3002);
- использование межсетевого экрана уровня приложений (WAF) для фильтрации сетевого трафика;
- ограничение возможности непривилегированных пользователей загружать файлы на сервер React;
- ограничение доступа к уязвимому программному обеспечению, используя схему доступа по «белым спискам»;
- использование SIEM-систем для отслеживания событий, связанных с вызовом функции runInThisContext();
- использование систем обнаружения и предотвращения вторжений для отслеживания индикаторов компрометации для попыток эксплуатации уязвимости.
Использование рекомендаций производителя:
Для React:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Для Next.js:
https://nextjs.org/blog/CVE-2025-66478
Reference
https://react.dev/versions#react-19
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
https://nextjs.org/blog/CVE-2025-66478
https://github.com/Ashwesker/Blackash-CVE-2025-55182
https://github.com/fatguru/CVE-2025-55182-scanner
https://github.com/sickwell/CVE-2025-55182
https://github.com/ejpir/CVE-2025-55182-poc
https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
CWE
CWE-502
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Meta Platforms Inc, Vercel, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, The Vac Research Collective, Expo Software, Inc., RedwoodJS Core Team",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 19.0.1 (react-server-dom-webpack), \u0434\u043e 19.1.2 (react-server-dom-webpack), \u0434\u043e 19.2.1 (react-server-dom-webpack), \u0434\u043e 19.0.1 (react-server-dom-parcel), \u0434\u043e 19.1.2 (react-server-dom-parcel), \u0434\u043e 19.2.1 (react-server-dom-parcel), \u0434\u043e 19.0.1 (react-server-dom-turbopack), \u0434\u043e 19.1.2 (react-server-dom-turbopack), \u0434\u043e 19.2.1 (react-server-dom-turbopack), \u0434\u043e 15.0.5 (Next.js), \u0434\u043e 15.1.9 (Next.js), \u0434\u043e 15.2.6 (Next.js), \u0434\u043e 15.3.6 (Next.js), \u0434\u043e 15.4.8 (Next.js), \u0434\u043e 15.5.7 (Next.js), \u0434\u043e 16.0.7 (Next.js), - (React Router), - (Waku), \u0434\u043e 14.3.0-canary.77 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Next.js), - (React), - (Expo), \u0434\u043e 1.0.0-alpha.0 (Redwood SDK)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0438\u0437 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u0445 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u043e\u0432. \u0412 \u0441\u0432\u044f\u0437\u0438 \u0441\u043e \u0441\u043b\u043e\u0436\u0438\u0432\u0448\u0435\u0439\u0441\u044f \u043e\u0431\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u043e\u0439 \u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u043c\u0438 \u0441\u0430\u043d\u043a\u0446\u0438\u044f\u043c\u0438 \u043f\u0440\u043e\u0442\u0438\u0432 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e\u0441\u043b\u0435 \u043e\u0446\u0435\u043d\u043a\u0438 \u0432\u0441\u0435\u0445 \u0441\u043e\u043f\u0443\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0440\u0438\u0441\u043a\u043e\u0432.\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043d\u0435\u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0445 \u0441\u0435\u0442\u0435\u0432\u044b\u0445 \u043f\u043e\u0440\u0442\u043e\u0432 \u0434\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u0443 React (\u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e 3002);\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043c\u0435\u0436\u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u044d\u043a\u0440\u0430\u043d\u0430 \u0443\u0440\u043e\u0432\u043d\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 (WAF) \u0434\u043b\u044f \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u0442\u0440\u0430\u0444\u0438\u043a\u0430;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u043d\u0435\u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0437\u0430\u0433\u0440\u0443\u0436\u0430\u0442\u044c \u0444\u0430\u0439\u043b\u044b \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440 React;\n- \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u043c\u0443 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044e, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0441\u0445\u0435\u043c\u0443 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043f\u043e \u00ab\u0431\u0435\u043b\u044b\u043c \u0441\u043f\u0438\u0441\u043a\u0430\u043c\u00bb;\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 SIEM-\u0441\u0438\u0441\u0442\u0435\u043c \u0434\u043b\u044f \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u043d\u0438\u044f \u0441\u043e\u0431\u044b\u0442\u0438\u0439, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u044b\u0445 \u0441 \u0432\u044b\u0437\u043e\u0432\u043e\u043c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 runInThisContext();\n- \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0432\u0442\u043e\u0440\u0436\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u043d\u0438\u044f \u0438\u043d\u0434\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u0432 \u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0430\u0446\u0438\u0438 \u0434\u043b\u044f \u043f\u043e\u043f\u044b\u0442\u043e\u043a \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\n\u0414\u043b\u044f React:\nhttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\n\n\u0414\u043b\u044f Next.js:\nhttps://nextjs.org/blog/CVE-2025-66478",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "03.12.2025",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "08.12.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.12.2025",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-15156",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-55182",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack, Next.js, React Router, Waku, React, Expo, Redwood SDK",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 requireModule() \u043f\u0430\u043a\u0435\u0442\u043e\u0432 react-server-dom-webpack, react-server-dom-parcel \u0438 react-server-dom-turbopack JavaScript \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u043f\u043e\u0441\u0442\u0440\u043e\u0435\u043d\u0438\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0445 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u043e\u0432 React, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0412\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-502)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 requireModule() \u043f\u0430\u043a\u0435\u0442\u043e\u0432 react-server-dom-webpack, react-server-dom-parcel \u0438 react-server-dom-turbopack JavaScript \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 \u043f\u043e\u0441\u0442\u0440\u043e\u0435\u043d\u0438\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0445 \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u043e\u0432 React \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 hasOwnProperty. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u0430",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "React Server Components \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0442 \u043a\u043b\u0438\u0435\u043d\u0442\u0443 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0435 \u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u0435 payload\u0027s \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043b\u044f \u0432\u044b\u0437\u043e\u0432\u0430 Server Functions. \u042d\u0442\u0438 payload\u0027s \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0443\u044e\u0442\u0441\u044f \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u0445 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u0432 React.\n\n\u0412 \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0445 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043d\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e\u0441\u0442\u044c \u0432\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443:\n\n\u041e\u0442\u043f\u0440\u0430\u0432\u0438\u0442\u044c \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 HTTP-\u0437\u0430\u043f\u0440\u043e\u0441 \u043d\u0430 \u043b\u044e\u0431\u043e\u0439 endpoint, \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0449\u0438\u0439 React Server Functions.\n\u041f\u0440\u0438 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u044d\u0442\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 (RCE).\n\u0410\u0442\u0430\u043a\u0430 \u043d\u0435 \u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u2014 \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u0437\u043d\u0430\u0442\u044c URL endpoint\u0027\u0430.\n\n\u0412\u0430\u0448\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u043d\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e \u0435\u0441\u043b\u0438:\n- \u041d\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0441\u0435\u0440\u0432\u0435\u0440 (\u0442\u043e\u043b\u044c\u043a\u043e \u0441\u0442\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u043a\u043b\u0438\u0435\u043d\u0442\u0441\u043a\u0438\u0439 React),\n- \u041d\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 React Server Components (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0442\u043e\u043b\u044c\u043a\u043e Pages Router \u0432 Next.js \u0431\u0435\u0437 App Router),\n- \u041d\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0438 \u0441 RSC,",
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://react.dev/versions#react-19\nhttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\nhttps://nextjs.org/blog/CVE-2025-66478\nhttps://github.com/Ashwesker/Blackash-CVE-2025-55182\nhttps://github.com/fatguru/CVE-2025-55182-scanner\nhttps://github.com/sickwell/CVE-2025-55182\nhttps://github.com/ejpir/CVE-2025-55182-poc\nhttps://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-502",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.1 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…