CVE-2025-55183

high-risk

Published 2025-12-11

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Do I need to act?

19.8% chance of exploitation in next 30 days

EPSS score — higher than 80% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (20)

React

Next.Js

Affected Vendors

Facebook Vercel

References (2)

Exploit https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-...

Vendor Advisory https://www.facebook.com/security/advisories/cve-2025-55183

/ 100

high-risk

Severity 21/34 · High

Exploitability 14/34 · Moderate

Exposure 29/34 · Critical