CVE-2025-55183

EUVD-2025-202879
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MetaCNA
5.3 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
Affected Products (NVD)
VendorProductVersion
facebookreact
19.0.0 ≤
𝑥
< 19.0.2
facebookreact
19.1.0 ≤
𝑥
< 19.1.3
facebookreact
19.2.0 ≤
𝑥
< 19.2.2
vercelnext.js
15.0.0 ≤
𝑥
< 15.0.7
vercelnext.js
15.1.0 ≤
𝑥
< 15.1.11
vercelnext.js
15.2.0 ≤
𝑥
< 15.2.8
vercelnext.js
15.3.0 ≤
𝑥
< 15.3.8
vercelnext.js
15.4.0 ≤
𝑥
< 15.4.10
vercelnext.js
15.5.0 ≤
𝑥
< 15.5.9
vercelnext.js
16.0.0 ≤
𝑥
< 16.0.10
vercelnext.js
15.6.0
vercelnext.js
15.6.0:canary0
vercelnext.js
15.6.0:canary1
vercelnext.js
15.6.0:canary10
vercelnext.js
15.6.0:canary11
vercelnext.js
15.6.0:canary12
vercelnext.js
15.6.0:canary13
vercelnext.js
15.6.0:canary14
vercelnext.js
15.6.0:canary15
vercelnext.js
15.6.0:canary16
vercelnext.js
15.6.0:canary17
vercelnext.js
15.6.0:canary18
vercelnext.js
15.6.0:canary19
vercelnext.js
15.6.0:canary2
vercelnext.js
15.6.0:canary20
vercelnext.js
15.6.0:canary21
vercelnext.js
15.6.0:canary22
vercelnext.js
15.6.0:canary23
vercelnext.js
15.6.0:canary24
vercelnext.js
15.6.0:canary25
vercelnext.js
15.6.0:canary26
vercelnext.js
15.6.0:canary27
vercelnext.js
15.6.0:canary28
vercelnext.js
15.6.0:canary29
vercelnext.js
15.6.0:canary3
vercelnext.js
15.6.0:canary30
vercelnext.js
15.6.0:canary31
vercelnext.js
15.6.0:canary32
vercelnext.js
15.6.0:canary33
vercelnext.js
15.6.0:canary34
vercelnext.js
15.6.0:canary35
vercelnext.js
15.6.0:canary36
vercelnext.js
15.6.0:canary37
vercelnext.js
15.6.0:canary38
vercelnext.js
15.6.0:canary39
vercelnext.js
15.6.0:canary4
vercelnext.js
15.6.0:canary40
vercelnext.js
15.6.0:canary41
vercelnext.js
15.6.0:canary42
vercelnext.js
15.6.0:canary43
vercelnext.js
15.6.0:canary44
vercelnext.js
15.6.0:canary45
vercelnext.js
15.6.0:canary46
vercelnext.js
15.6.0:canary47
vercelnext.js
15.6.0:canary48
vercelnext.js
15.6.0:canary49
vercelnext.js
15.6.0:canary5
vercelnext.js
15.6.0:canary50
vercelnext.js
15.6.0:canary51
vercelnext.js
15.6.0:canary52
vercelnext.js
15.6.0:canary53
vercelnext.js
15.6.0:canary54
vercelnext.js
15.6.0:canary55
vercelnext.js
15.6.0:canary56
vercelnext.js
15.6.0:canary57
vercelnext.js
15.6.0:canary58
vercelnext.js
15.6.0:canary59
vercelnext.js
15.6.0:canary6
vercelnext.js
15.6.0:canary7
vercelnext.js
15.6.0:canary8
vercelnext.js
15.6.0:canary9
vercelnext.js
16.1.0
vercelnext.js
16.1.0:canary0
vercelnext.js
16.1.0:canary1
vercelnext.js
16.1.0:canary10
vercelnext.js
16.1.0:canary11
vercelnext.js
16.1.0:canary12
vercelnext.js
16.1.0:canary13
vercelnext.js
16.1.0:canary14
vercelnext.js
16.1.0:canary15
vercelnext.js
16.1.0:canary16
vercelnext.js
16.1.0:canary17
vercelnext.js
16.1.0:canary18
vercelnext.js
16.1.0:canary2
vercelnext.js
16.1.0:canary3
vercelnext.js
16.1.0:canary4
vercelnext.js
16.1.0:canary5
vercelnext.js
16.1.0:canary6
vercelnext.js
16.1.0:canary7
vercelnext.js
16.1.0:canary8
vercelnext.js
16.1.0:canary9
𝑥
= Vulnerable software versions
References
https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
https://www.facebook.com/security/advisories/cve-2025-55183