Vulnerability Description
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| React | >= 19.0.0, < 19.0.2 | |
| Vercel | Next.Js | >= 15.0.0, < 15.0.7 |
References
- https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-ExploitVendor Advisory
- https://www.facebook.com/security/advisories/cve-2025-55183Vendor Advisory
FAQ
What is CVE-2025-55183?
CVE-2025-55183 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: reac...
How severe is CVE-2025-55183?
CVE-2025-55183 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55183?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook React, Vercel Next.Js.