Brand ClaimErleben, was verbindet

Information on the use of cookies

This website uses only the technically necessary cookies to provide you with the best possible service.
Your session is identified by a so-called session cookie in order to maintain your language choice and to allow a comfortable form use. Furthermore, a login is only possible by using a cookie.
Further information can be found in the data protection information.

Accept

Advisory 2025-2547 - Vercel Next.js and React Server Components (React2Shell): Vulnerability allows code execution

Achtung: You can now also find information from the Vulnerability Advisory Service in the CTI portal!
The CTI portal is available at the following address: https://cti-portal.telekom.net/advisories/2025-2547
Notice: This advisory is by exception shown completely public. You will regularly receive details on vulnerability information as a customer via your login or through our daily advisory e-mail.
5
Attack probability
high
4
Potential damage
medium-high
remote anonymous attackerExploit available
Date
2025-12-04
Release
2025-12-05 UPDATE

Operating System

  • Sonstiges
  • UNIX
  • Windows

Software

  • Open Source React < 19.0.1
  • Open Source React < 19.1.2
  • Open Source React < 19.2.1
  • Vercel Next.js < 15.0.5
  • Vercel Next.js < 15.1.9
  • Vercel Next.js < 15.2.6
  • Vercel Next.js < 15.3.6
  • Vercel Next.js < 15.4.8
  • Vercel Next.js < 15.5.7
  • Vercel Next.js < 16.0.7

Attack

A remote anonymous attacker can exploit a vulnerability in Vercel Next.js and React in order to execute arbitrary code.

Description

Next.js is a framework for React-based web applications. React is an open-source JavaScript library for creating user interfaces, especially for single-page applications.

CVE-2025-55182, CVE-2025-66478

A vulnerability exists in Vercel Next.js, when using the App Router, and in React Server Components. This flaw stems from the improper deserialization of payloads from HTTP requests to server function endpoints in certain packages, including react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A remote, anonymous attacker can exploit this vulnerability to execute arbitrary code on the server by sending a crafted HTTP request to any server function endpoint.

CVSSv2 Base Score: 10.0 / Temporal Score: 8.7
AV:N/AC:L/AU:N/C:C/I:C/A:C/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 10.0 / Temporal Score: 9.5
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:X

UPDATE 2025-12-05
PoC code taking advantage of this vulnerability is available on the Internet. Amazon reports active exploitation by threat groups.

Recommendation

Vercel provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://github.com/advisories/GHSA-9qr9-h5gf-34mp

The developers provide updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Information

GitHub Advisory Database dated 2025-12-03
https://github.com/advisories/GHSA-9qr9-h5gf-34mp

PoC auf GitHub dated 2025-12-03
https://github.com/joshterrill/CVE-2025-55182-realistic-poc

NSFOCUS Notice dated 2025-12-03
https://nsfocusglobal.com/react-next-js-remote-code-execution-vulnerability-cve-2025-55182-cve-2025-66478-notice/

React2Shell (CVE-2025-55182) dated 2025-12-03
https://react2shell.com/

UPDATE 2025-12-05

AWS Security Blog dated 2025-12-04
https://aws.amazon.com/de/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

References

CVE:CVE-2025-55182
CVE:CVE-2025-66478
GITHUB:GHSA-9QR9-H5GF-34MP
VULNAME:REACT2SHELL

Disclaimer

*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.

Copyright © 1999-2026 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.