cbcvebase.
CVE-2025-55183
published 2025-12-11

CVE-2025-55183: An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and…

PriorityP261medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
62.41%
99.1th percentile
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Affected

39 ranges· showing 25
VendorProductVersion rangeFixed in
facebookreact>= 19.0.0 < 19.0.219.0.2
facebookreact>= 19.1.0 < 19.1.319.1.3
facebookreact>= 19.2.0 < 19.2.219.2.2
metareact-server-dom-parcel>= 19.0.0 < 19.0.219.0.2
metareact-server-dom-parcel19.0.0 – 19.0.1
metareact-server-dom-parcel>= 19.1.0 < 19.1.319.1.3
metareact-server-dom-parcel19.1.0 – 19.1.2
metareact-server-dom-parcel>= 19.2.0 < 19.2.219.2.2
metareact-server-dom-parcel19.2.0 – 19.2.1
metareact-server-dom-turbopack>= 19.0.0 < 19.0.219.0.2
metareact-server-dom-turbopack19.0.0 – 19.0.1
metareact-server-dom-turbopack>= 19.1.0 < 19.1.319.1.3
metareact-server-dom-turbopack19.1.0 – 19.1.2
metareact-server-dom-turbopack>= 19.2.0 < 19.2.219.2.2
metareact-server-dom-turbopack19.2.0 – 19.2.1
metareact-server-dom-webpack>= 19.0.0 < 19.0.219.0.2
metareact-server-dom-webpack19.0.0 – 19.0.1
metareact-server-dom-webpack>= 19.1.0 < 19.1.319.1.3
metareact-server-dom-webpack19.1.0 – 19.1.2
metareact-server-dom-webpack>= 19.2.0 < 19.2.219.2.2
metareact-server-dom-webpack19.2.0 – 19.2.1
nextnext>= 15.0.0-canary.0 < 15.0.615.0.6
nextnext>= 15.1.1-canary.0 < 15.1.1015.1.10
nextnext>= 15.2.0-canary.0 < 15.2.715.2.7
nextnext>= 15.3.0-canary.0 < 15.3.715.3.7

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-55183 is triggered by a specifically crafted HTTP request to a Server Function endpoint that causes the server to unsafely return source code of any Server Function; look for anomalous HTTP responses containing server-side source code from Server Function endpoints.
  • Exploitation requires a Server Function that explicitly or implicitly exposes a stringified argument; audit all Server Function implementations for string coercion of arguments as a prerequisite indicator of exploitability.
  • CVE-2025-55183 affects react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack, and @vitejs/plugin-rsc; inventory these packages and flag any deployment running versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, or 19.2.1.
  • CVE-2025-55183 is an information disclosure (source code leak) with limited impact; it is distinct from the critical RCE CVE-2025-55182 but shares the same React Server Components attack surface — Server Function HTTP endpoints.
  • ·CVE-2025-55183 only manifests in 'specific configurations' where a Server Function explicitly or implicitly exposes a stringified argument; not all deployments of the affected package versions are exploitable.
  • ·Patching to at least React Server Components 19.2.2 is required to remediate CVE-2025-55183's information disclosure; 19.2.2 also addresses CVE-2025-55184 DoS but NOT CVE-2025-67779 DoS — 19.2.3 is needed for full DoS coverage.
  • ·For @vitejs/plugin-rsc, the fix for CVE-2025-55183 is version 0.5.7.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
osv5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.