{
  "threat_severity" : "Critical",
  "public_date" : "2025-12-03T15:40:56Z",
  "bugzilla" : {
    "description" : "next: React Server Components: Pre-authentication remote code execution via unsafe deserialization",
    "id" : "2418613",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2418613"
  },
  "cvss3" : {
    "cvss3_base_score" : "10.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-502",
  "details" : [ "A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.", "A flaw was found in the React Server Components (RSC) protocol in which an attacker could send a malicious package to a Server Function endpoint and cause unauthenticated remote code execution. This is possible due to the way the affected packages deserialized untrusted data." ],
  "statement" : "The reference implementation of React Server Components is used by other projects such as Next.js. Next.js requested a CVE to track their impacted versions, CVE-2025-66478, but that CVE was rejected as a duplicate of this one. We list here packages which include Next.js as a dependency, but our analysis indicates that they are not affected by the vulnerability as they do not use the App Router functionality that exposes endpoints serving the vulnerable protocol.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "dotnet7.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "rhelai3/bootc-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3",
    "fix_state" : "Not affected",
    "package_name" : "rhelai3/disk-image-cuda-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-dashboard-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat Trusted Artifact Signer",
    "fix_state" : "Not affected",
    "package_name" : "rhtas/rekor-search-ui-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Not affected",
    "package_name" : "com.github.streamshub-console",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Not affected",
    "package_name" : "com.github.streamshub-console",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-55182\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55182\nhttps://nextjs.org/blog/CVE-2025-66478\nhttps://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components\nhttps://www.facebook.com/security/advisories/cve-2025-55182\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ],
  "name" : "CVE-2025-55182",
  "csaw" : false
}