CVE-2025-55183

5.3 MEDIUM

📋 TL;DR

An information leak vulnerability in React Server Components allows attackers to retrieve source code of Server Functions via crafted HTTP requests. This affects React Server Components versions 19.0.0 through 19.2.1 when Server Functions expose stringified arguments. Applications using react-server-dom-parcel, react-server-dom-turbopack, or react-server-dom-webpack packages are vulnerable.

💻 Affected Systems

Products:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

Versions: 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Server Functions that expose stringified arguments either explicitly or implicitly. Not all React Server Components deployments are vulnerable.

📦 What is this software?

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

Next.js by Vercel

View all CVEs affecting Next.js →

React by Facebook

View all CVEs affecting React →

React by Facebook

View all CVEs affecting React →

React by Facebook

View all CVEs affecting React →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of server-side application source code including business logic, API keys, and sensitive configuration, potentially leading to further attacks.

🟠

Likely Case

Partial source code disclosure revealing implementation details that could aid in discovering other vulnerabilities.

🟢

If Mitigated

Limited exposure of non-sensitive code snippets with proper input validation and function isolation.

🌐 Internet-Facing: HIGH - Web applications are directly accessible via HTTP requests, making exploitation straightforward.

🏢 Internal Only: MEDIUM - Internal applications still vulnerable but attack surface reduced by network segmentation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires identifying vulnerable Server Functions but doesn't require authentication. Attack pattern involves crafting specific HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.2.2 or later

Vendor Advisory: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

Restart Required: Yes

Instructions:

1. Update React Server Components to version 19.2.2 or later
2. Update package.json dependencies to use patched versions
3. Run npm update or yarn update
4. Restart the application server
5. Verify no breaking changes in your implementation

🔧 Temporary Workarounds

Input Validation for Server Functions

all

Add strict input validation to all Server Functions to prevent stringified argument exposure

Disable Vulnerable Server Functions

all

Temporarily disable Server Functions that accept stringified arguments until patched

🧯 If You Can't Patch

• Implement WAF rules to block suspicious HTTP requests targeting Server Functions
• Isolate React Server Components behind authentication or API gateways

🔍 How to Verify

Check if Vulnerable:

Copy

Check package.json for affected React Server Components versions and review Server Functions for stringified argument exposure

Check Version:

Copy

npm list react-server-dom-parcel react-server-dom-turbopack react-server-dom-webpack

Verify Fix Applied:

Copy

Verify installed React Server Components version is 19.2.2 or later and test Server Functions with crafted requests

📡 Detection & Monitoring

Log Indicators:

• Unusual HTTP requests to Server Functions with crafted parameters
• Increased error rates in Server Function responses

Network Indicators:

• HTTP requests with suspicious string patterns targeting Server Function endpoints

SIEM Query:

Copy

source="web_server" AND (uri="*server-function*" OR uri="*rsc*") AND (param="*toString*" OR param="*stringify*")

📊 Metadata

CVE ID: CVE-2025-55183

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score: 22.07% exploit probability (95.6th percentile)

Published: December 11, 2025

Last Updated: December 12, 2025

🔗 References

• https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components Exploit,Vendor Advisory
• https://www.facebook.com/security/advisories/cve-2025-55183 Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON