CVE-2025-55183
MEDIUMDescription
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
CVSS v3.1 Score
Affected Products
| Vendor | Product |
|---|---|
| react | |
| react | |
| react | |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
| vercel | next.js |
References
Frequently Asked Questions
What is CVE-2025-55183? +
How severe is CVE-2025-55183? +
What products are affected by CVE-2025-55183? +
How do I check if I'm vulnerable to CVE-2025-55183? +
Related Vulnerabilities
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following …
Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file …
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, …
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial …
A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory …
Sending an HTTP request/response body with greater than 2^31 bytes triggers an infinite loop in proxygen::coro::HTTPQuicCoroSession which blocks the backing …