Refine your search
3 vulnerabilities found for next.js by vercel
CERTFR-2025-ALE-014
Vulnerability from certfr_alerte
[Mise à jour du 08 décembre 2025]
Le CERT-FR a connaissance d'exploitations pour la vulnérabilité CVE-2025-55182.
[Publication initiale]
Le 3 décembre 2025, React a publié un avis de sécurité relatif à la vulnérabilité CVE-2025-55182 affectant React Server Components et qui permet à un attaquant non authentifié de provoquer une exécution de code arbitraire à distance. L'éditeur de Next.js a également publié un avis de sécurité faisant référence à l'identifiant CVE-2025-66478. Cet identifiant a été rejeté en raison du doublon avec l'identifiant utilisé par React. Cette faille de sécurité est également connue sous le nom de React2Shell.
Cette vulnérabilité concerne plus précisément les React Server Functions. Même si une application n'utilise pas explicitement de telles fonctions, elle peut être vulnérable si elle supporte les React Server Components. En particulier, plusieurs cadriciels tels que Next.js implémentent de telles fonctions par défaut.
Les technologies React Server Components et React Server Functions sont relativement récentes (la version 19 de React a été publiée fin 2024) et toutes les applications utilisant la technologie React ne sont ainsi pas nécessairement affectées. Veuillez vous référer à la section systèmes affectés pour plus d'informations.
Le CERT-FR a connaissance de preuves de concept publiques pour cette vulnérabilité et anticipe des exploitations en masse.
Note : Le CERT-FR a connaissance de la mise en place de règles de blocages de la vulnérabilité au niveau de plusieurs pare-feu applicatifs web populaires. Bien que ces mécanismes puissent rendre l'exploitation de la vulnérabilité plus difficile, ils ne peuvent pas remplacer une mise à jour vers une version corrective.
Solutions
Le CERT-FR recommande de mettre à jour au plus vite les composants vers les versions correctives listées dans les avis éditeurs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| N/A | N/A | Expo sans les versions correctives de react-server-dom-webpack | ||
| N/A | N/A | Redwood SDK versions antérieures à 1.0.0-alpha.0 | ||
| Vercel | Next.js | Next.js versions 15.0.x antérieures à 15.0.5 | ||
| N/A | N/A | Waku sans les versions correctives de react-server-dom-webpack | ||
| Vercel | Next.js | Next.js versions 15.1.x antérieures à 15.1.9 | ||
| Vercel | Next.js | Next.js versions 15.5.x antérieures à 15.5.7 | ||
| Meta | React | react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.2.x antérieures à 19.2.1 | ||
| Vercel | Next.js | Next.js versions 14.x canary | ||
| Vercel | Next.js | Next.js versions 15.3.x antérieures à 15.3.6 | ||
| N/A | N/A | React router avec le support de l'API RSC sans les derniers correctifs de sécurité | ||
| Meta | React | react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.0.x antérieures à 19.0.1 | ||
| Vercel | Next.js | Next.js versions 15.4.x antérieures à 15.4.8 | ||
| Meta | React | react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.1.x antérieures à 19.1.2 | ||
| Vercel | Next.js | Next.js versions 16.0.x antérieures à 16.0.7 | ||
| N/A | N/A | Vitejs avec le greffon plugin-rsc sans les derniers correctifs de sécurité | ||
| Vercel | Next.js | Next.js versions 15.2.x antérieures à 15.2.6 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Expo sans les versions correctives de react-server-dom-webpack",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Redwood SDK versions ant\u00e9rieures \u00e0 1.0.0-alpha.0",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Next.js versions 15.0.x ant\u00e9rieures \u00e0 15.0.5",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "Waku sans les versions correctives de react-server-dom-webpack",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Next.js versions 15.1.x ant\u00e9rieures \u00e0 15.1.9",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "Next.js versions 15.5.x ant\u00e9rieures \u00e0 15.5.7",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.2.x ant\u00e9rieures \u00e0 19.2.1",
"product": {
"name": "React",
"vendor": {
"name": "Meta",
"scada": false
}
}
},
{
"description": "Next.js versions 14.x canary",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "Next.js versions 15.3.x ant\u00e9rieures \u00e0 15.3.6",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "React router avec le support de l\u0027API RSC sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.0.x ant\u00e9rieures \u00e0 19.0.1",
"product": {
"name": "React",
"vendor": {
"name": "Meta",
"scada": false
}
}
},
{
"description": "Next.js versions 15.4.x ant\u00e9rieures \u00e0 15.4.8",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "react-server-dom-webpack, react-server-dom-parcel et react-server-dom-turbopack versions 19.1.x ant\u00e9rieures \u00e0 19.1.2",
"product": {
"name": "React",
"vendor": {
"name": "Meta",
"scada": false
}
}
},
{
"description": "Next.js versions 16.0.x ant\u00e9rieures \u00e0 16.0.7",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
},
{
"description": "Vitejs avec le greffon plugin-rsc sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "N/A",
"scada": false
}
}
},
{
"description": "Next.js versions 15.2.x ant\u00e9rieures \u00e0 15.2.6",
"product": {
"name": "Next.js",
"vendor": {
"name": "Vercel",
"scada": true
}
}
}
],
"affected_systems_content": "",
"closed_at": null,
"content": "## Solutions\n\nLe CERT-FR recommande de mettre \u00e0 jour au plus vite les composants vers les versions correctives list\u00e9es dans les avis \u00e9diteurs (cf. section Documentation). ",
"cves": [
{
"name": "CVE-2025-55182",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55182"
},
{
"name": "CVE-2025-66478",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66478"
}
],
"initial_release_date": "2025-12-05T00:00:00",
"last_revision_date": "2025-12-08T00:00:00",
"links": [
{
"title": "Bulletin d\u0027actualit\u00e9 CERTFR-2025-ACT-053 du 04 d\u00e9cembre 2025",
"url": "https://cert.ssi.gouv.fr/actualite/CERTFR-2025-ACT-053/"
}
],
"reference": "CERTFR-2025-ALE-014",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-05T00:00:00.000000"
},
{
"description": "connaissance d\u0027exploitations pour la vuln\u00e9rabilit\u00e9 CVE-2025-55182",
"revision_date": "2025-12-08T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
}
],
"summary": "**\u003cspan class=\"important-content\"\u003e[Mise \u00e0 jour du 08 d\u00e9cembre 2025]\u003c/span\u003e**\n\nLe CERT-FR a connaissance d\u0027exploitations pour la vuln\u00e9rabilit\u00e9 CVE-2025-55182.\n\n**[Publication initiale]**\n\nLe 3 d\u00e9cembre 2025, React a publi\u00e9 un avis de s\u00e9curit\u00e9 relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-55182 affectant React Server Components et qui permet \u00e0 un attaquant non authentifi\u00e9 de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance. L\u0027\u00e9diteur de Next.js a \u00e9galement publi\u00e9 un avis de s\u00e9curit\u00e9 faisant r\u00e9f\u00e9rence \u00e0 l\u0027identifiant CVE-2025-66478. Cet identifiant a \u00e9t\u00e9 rejet\u00e9 en raison du doublon avec l\u0027identifiant utilis\u00e9 par React. Cette faille de s\u00e9curit\u00e9 est \u00e9galement connue sous le nom de *React2Shell*. \n\nCette vuln\u00e9rabilit\u00e9 concerne plus pr\u00e9cis\u00e9ment les React Server Functions. M\u00eame si une application n\u0027utilise pas explicitement de telles fonctions, elle peut \u00eatre vuln\u00e9rable si elle supporte les React Server Components. En particulier, plusieurs cadriciels tels que Next.js impl\u00e9mentent de telles fonctions par d\u00e9faut. \n\nLes technologies React Server Components et React Server Functions sont relativement r\u00e9centes (la version 19 de React a \u00e9t\u00e9 publi\u00e9e fin 2024) et toutes les applications utilisant la technologie React ne sont ainsi pas n\u00e9cessairement affect\u00e9es. Veuillez vous r\u00e9f\u00e9rer \u00e0 la section syst\u00e8mes affect\u00e9s pour plus d\u0027informations.\n\nLe CERT-FR a connaissance de preuves de concept publiques pour cette vuln\u00e9rabilit\u00e9 et anticipe des exploitations en masse.\n\n*Note : Le CERT-FR a connaissance de la mise en place de r\u00e8gles de blocages de la vuln\u00e9rabilit\u00e9 au niveau de plusieurs pare-feu applicatifs web populaires. Bien que ces m\u00e9canismes puissent rendre l\u0027exploitation de la vuln\u00e9rabilit\u00e9 plus difficile, ils ne peuvent pas remplacer une mise \u00e0 jour vers une version corrective.* ",
"title": "Vuln\u00e9rabilit\u00e9 dans React Server Components",
"vendor_advisories": [
{
"published_at": "2025-12-03",
"title": "Billet de blogue React relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-55182",
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
},
{
"published_at": "2025-12-03",
"title": "Billet de blogue Vercel relatif \u00e0 la vuln\u00e9rabilit\u00e9 CVE-2025-55182",
"url": "https://vercel.com/changelog/cve-2025-55182"
},
{
"published_at": "2025-12-03",
"title": "Bulletin de s\u00e9curit\u00e9 Facebook CVE-2025-55182",
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
}
]
}
CVE-2025-55182 (GCVE-0-2025-55182)
Vulnerability from nvd
Published
2025-12-03 15:40
Modified
2025-12-06 04:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Deserialization of Untrusted Data (CWE-502)
Summary
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-webpack |
Version: 19.0.0 ≤ 19.2.0 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55182",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-12-05",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T04:55:42.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"media-coverage"
],
"url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-05T00:00:00+00:00",
"value": "CVE-2025-55182 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-12-04T17:32:12.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
},
{
"url": "https://news.ycombinator.com/item?id=46136026"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Deserialization of Untrusted Data (CWE-502)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T15:40:56.894Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55182",
"datePublished": "2025-12-03T15:40:56.894Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-12-06T04:55:42.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55182 (GCVE-0-2025-55182)
Vulnerability from cvelistv5
Published
2025-12-03 15:40
Modified
2025-12-06 04:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Deserialization of Untrusted Data (CWE-502)
Summary
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Meta | react-server-dom-webpack |
Version: 19.0.0 ≤ 19.2.0 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55182",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-12-05",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T04:55:42.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"media-coverage"
],
"url": "https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55182"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-05T00:00:00+00:00",
"value": "CVE-2025-55182 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-12-04T17:32:12.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/4"
},
{
"url": "https://news.ycombinator.com/item?id=46136026"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "react-server-dom-webpack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-turbopack",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "react-server-dom-parcel",
"vendor": "Meta",
"versions": [
{
"lessThanOrEqual": "19.2.0",
"status": "affected",
"version": "19.0.0",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-12-02T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Deserialization of Untrusted Data (CWE-502)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T15:40:56.894Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55182"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55182",
"datePublished": "2025-12-03T15:40:56.894Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-12-06T04:55:42.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}