CVE-2025-55183
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-11

Last updated on: 2025-12-12

Assigner: Facebook, Inc.

Description
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-11
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-55183
Affected Vendors & Products
Showing 91 associated CPEs
Vendor Product Version / Range
facebook react From 19.0.0 (inc) to 19.0.2 (exc)
facebook react From 19.1.0 (inc) to 19.1.3 (exc)
facebook react From 19.2.0 (inc) to 19.2.2 (exc)
vercel next.js From 15.0.0 (inc) to 15.0.7 (exc)
vercel next.js From 15.1.0 (inc) to 15.1.11 (exc)
vercel next.js From 15.2.0 (inc) to 15.2.8 (exc)
vercel next.js From 15.3.0 (inc) to 15.3.8 (exc)
vercel next.js From 15.4.0 (inc) to 15.4.10 (exc)
vercel next.js From 15.5.0 (inc) to 15.5.9 (exc)
vercel next.js From 16.0.0 (inc) to 16.0.10 (exc)
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 15.6.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
vercel next.js 16.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an information leak in certain versions of React Server Components (19.0.0 through 19.2.1) and related packages. It occurs when a specially crafted HTTP request is sent to a vulnerable Server Function, which may then unsafely return the source code of any Server Function. Exploitation requires that the Server Function exposes a stringified argument either explicitly or implicitly.

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection involves monitoring for crafted malicious HTTP requests targeting Server Function endpoints that may return source code unexpectedly. Specific commands are not provided in the available resources. However, inspecting HTTP request logs for unusual requests to Server Functions and verifying if any Server Function exposes stringified arguments can help identify potential exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade React Server Components packages to fixed versions 19.0.2, 19.1.3, or 19.2.2. Users who updated for the prior critical vulnerability (CVE-2025-55182) must update again, as earlier patches remain vulnerable. Avoid using vulnerable versions 19.0.0 through 19.2.1. Additionally, monorepo users should update only the impacted packages to prevent version mismatches. Temporary mitigations coordinated with hosting providers exist, but upgrading packages is strongly recommended. [1]

Detection Guidance

Detection involves monitoring for crafted malicious HTTP requests sent to Server Function endpoints that may cause source code exposure. Specific detection commands are not provided in the resources. However, inspecting HTTP request logs for unusual or suspicious requests targeting Server Functions, especially those including stringified arguments, may help identify exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade React Server Components packages to fixed versions 19.0.2, 19.1.3, or 19.2.2. Users who updated for the prior critical vulnerability (CVE-2025-55182) must update again, as earlier patches remain vulnerable. The fix prevents stringification of Server Function source code, mitigating the exposure risk. Additionally, React Native users not using monorepos or react-dom are unaffected, but monorepo users should update only the impacted packages to avoid version mismatches. [1]

Impact Analysis

The vulnerability can lead to unauthorized disclosure of source code of Server Functions, potentially exposing sensitive implementation details. This information leak could aid attackers in understanding the server-side logic, which might be leveraged for further attacks or exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-55183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart