CVE-2025-55183

Published Dec 11, 2025

Last updated a day ago

CVSS medium 5.3

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-55183 is an information disclosure vulnerability found in React Server Components. It affects specific configurations of React Server Components versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1, including the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerability allows attackers to extract the compiled source code of Server Actions through specially crafted HTTP requests. By sending a crafted HTTP request to a vulnerable Server Function, an attacker can potentially retrieve the source code of any Server Function if it explicitly or implicitly exposes a stringified argument. Exploitation requires the existence of a Server Function that exposes a stringified argument.

Description
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Source
cve-assign@fb.com
NVD status
Analyzed
Products
react, next.js

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.3
Impact score
1.4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
MEDIUM

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

42

  1. 🚨 Urgent WAF update! 🚨 We've released emergency rules to protect against server-function exposure (CVE-2025-55183) & resource exhaustion (CVE-2025-55184). Enhanced security for your apps! 🛡️ https://t.co/ikyIQ9QaLX

    @mveracf

    13 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔴 React Server Components: 3 New CVEs Surface After React2Shell React2Shell (CVE-2025-55182 + CVE-2025-66478) spawned three more RSC vulnerabilities within days. CVE-2025-55183 leaks server-side source code including secrets when attackers coerce Server Functions to return

    @the_c_protocol

    13 Dec 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Another one React Server Components Denial of Service - High Severity: CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5) Source Code Exposure - Medium Severity: CVE-2025-55183 (CVSS 5.3) https://t.co/GbSdu7ZDYe #REACT #Exploit #Security https://t.co/30xwa9eCkz

    @ZoltanSEC

    13 Dec 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Two new vulnerabilities disclosed: High-Severity DoS (CVE-2025-55184/67779) Medium-Severity Source Code Exposure (CVE-2025-55183) https://t.co/b1s5C96F3p

    @AryaAmour08

    13 Dec 2025

    49 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. we use nextjs for the internal tool at my work (i am the only person working on it). opened a pr 30 minutes after CVE-2025-55183/4 got patched. pr is still open. will remain open until I ask ~100 times to merge it. is it really that hard to press the fucking button?

    @baga18650

    12 Dec 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. بعد أسبوع بس من طلبهم الأول بتحديث المكتبات الضعيفة، فريق React رجع يطلب نفس الشيء مرة ثانية. هالمرة الباحثين اكتشفوا ثغرتين ممكن يكونوا مزعجات. CVE-2025-55184 و CV

    @altmemy199

    12 Dec 2025

    1297 Impressions

    0 Retweets

    14 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  7. React security was mostly about preventing XSS. With RSC, the attack surface has shifted. CVE-2025-55183 proves improper Server Action validation can leak backend logic. The client-server boundary is thinner than you think.

    @abieyuwaimina

    12 Dec 2025

    123 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-55183 nuclei template https://t.co/Z2kdxBTBWi #CVE #nuclei #REACT https://t.co/9ZdG07uxFf

    @sirifu4k1

    12 Dec 2025

    797 Impressions

    4 Retweets

    9 Likes

    6 Bookmarks

    1 Reply

    0 Quotes

  9. ‼️ Next.js Security Update: December 11, 2025 Two new React Server Components bugs affect Next.js App Router apps: a DoS infinite-loop hang (CVE-2025-55183, CVE-2025-55184) and Server Function source-code exposure (CVE-2025-55183) #code https://t.co/iOUVVrGSRL

    @onix_react

    12 Dec 2025

    63 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  10. NEW React/Next.JS VULNERABILITIES JUST DROPPED 🔪 CVE-2025-55183 and CVE-2025-55184 React dropping new bangers every week 🗿 https://t.co/P4J0dW3zYc

    @visharadup

    12 Dec 2025

    136 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 【続報・緊急】React Server Componentsに追加の脆弱性(CVE-2025-55184 / CVE-2025-55183)。前回パッチも不完全、再度アップデート必須【Next.js / Bun対応】 https://t.co/2wrFz1La0j #Qiitaアドカレ #Qiita @PythonHaruより

    @yousukezan

    12 Dec 2025

    10376 Impressions

    35 Retweets

    124 Likes

    68 Bookmarks

    0 Replies

    2 Quotes

  12. 🚨 Two new React Server Components (Next.js App Router) vulnerabilities disclosed: • CVE-2025-55184 (High) – DoS via malicious RSC payload → server hangs & CPU spike • CVE-2025-55183 (Medium) – Leak compiled Server Actions source code (business logic exposure)

    @cletuskingdom

    12 Dec 2025

    179 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  13. 🚨 URGENT: The React2Shell fix wasn't enough! New critical React Server Components vulnerabilities just dropped (CVE-2025-55184 DoS + CVE-2025-55183 source code leak) after researchers dug deeper into the original patches. These are separate from last week's RCE (still https:

    @ronibhakta1

    12 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2025-55183 PoC — React Server Functions source code leak Find actionId in JS chunks: // DevTools regex: "([a-f0-9]{40,42})" Send malformed RSC payload: ["$F1"] {"id":"<action-id>"} Server returns server-side code. #bugbountytips #infosec #websecurity #bugbounty ht

    @themastersunil

    12 Dec 2025

    25 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  15. 🚨React Server Component has discovered more CVEs : - CVE-2025-55184 (DoS) - CVE-2025-67779 (DoS) - CVE-2025-55183 (Source code disclosure) Versions affected : 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of: - react-server-dom-webpack -

    @ValkyriSecurity

    12 Dec 2025

    363 Impressions

    1 Retweet

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. [New] React just found more bugs hiding in its last big patch. 🧩 CVE-2025-55184 & CVE-2025-67779 — can crash servers with one request. 🧩 CVE-2025-55183 — can leak source code from React Server Components. 👀 All discovered while testing the earlier CVE-2025-5518

    @TheHackersNews

    12 Dec 2025

    10589 Impressions

    31 Retweets

    112 Likes

    24 Bookmarks

    2 Replies

    2 Quotes

  17. React/Next.js CVE-2025-55183 Source code leakage PoC | Bypasses Cloudflare! https://t.co/8RaxL1MWpB

    @termireum

    12 Dec 2025

    9212 Impressions

    30 Retweets

    169 Likes

    105 Bookmarks

    3 Replies

    0 Quotes

  18. i keep getting email every day from talha tariq for "CVE-2025-55184 and CVE-2025-55183 in the React Server Components (RSC) implementation, affecting frameworks such as Next.js. Update application with latest patch." what vibe coding does to you

    @archiexzzz

    12 Dec 2025

    22161 Impressions

    8 Retweets

    381 Likes

    31 Bookmarks

    18 Replies

    4 Quotes

  19. A little morning research. New React/Next.js CVE-2025-55183 Source code leakage PoC Bypasses Cloudflare! @FearsOff #react #bypass #cloudflare https://t.co/4Yl4yRUg07

    @k_firsov

    12 Dec 2025

    33218 Impressions

    64 Retweets

    411 Likes

    246 Bookmarks

    13 Replies

    2 Quotes

  20. "CVE-2025-55183 (Medium Severity – Source Code Exposure): A malicious HTTP request sent to any App Router endpoint can return the compiled source code of Server Actions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly SRV ac

    @marmureanuweb

    12 Dec 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨 React Server Components [—] Dec 12, 2025 Comprehensive security advisory focusing on multiple recent critical vulnerabilities (including CVE-2025-55182, CVE-2025-55184, CVE-2025-55183, CVE-2025-67779) affecting React Server Components and related frameworks. Detailed... ht

    @transilienceai

    12 Dec 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. Again? In less than a week we have TWO more vulnerabilities targeting React. CVE-2025-55183 - information leak vulnerability CVE-2025-55184 - A pre-authentication denial of service vulnerability Upgrade your apps again.... https://t.co/35GNIUuXN9

    @itsdevdaniel

    12 Dec 2025

    482 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  23. Woke up to more React Server Component (RSC) security news! 🚨 It's a rough morning for developers. Two new vulnerabilities disclosed: High-Severity DoS (CVE-2025-55184/67779) Medium-Severity Source Code Exposure (CVE-2025-55183) PATCH IMMEDIATELY😮‍💨 https://t.co/MmBp

    @AryaAmour08

    12 Dec 2025

    250 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 🚨 BREAKING: React drops new security patches for CVE-2025-55183 & CVE-2025-67779 Two new vulnerabilities discovered: ✅ DoS (CVSS 7.5) - can crash your servers ✅ Source code exposure (CVSS 5.3) - leaks business logic Read Details - https://t.co/lK2IxGUuBw #React2shel

    @cyberkendra

    12 Dec 2025

    81 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. New React RSC vulnerabilities just dropped! CVE-2025-55184 and CVE-2025-55183, detailed in the latest Next.js & React security bulletins. Initial patches in React 19.0.1/19.1.2/19.2.1 turned out incomplete, leading to a new DoS vuln CVE-2025-67779 https://t.co/xD9Th3fRHk

    @sunggatalimbet

    12 Dec 2025

    370 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  26. 🚨 React has disclosed two new, additional vulnerabilities to the critical RCE vuln of last week - CVE-2025-55183 and CVE-2025-55184. Patches are available and urged to be applied immediately. Track live attacks against React honeypots 👉https://t.co/GXFaqggV8a https://t.co

    @DefusedCyber

    11 Dec 2025

    5241 Impressions

    19 Retweets

    77 Likes

    20 Bookmarks

    0 Replies

    1 Quote

  27. Fun react bug, (CVE-2025-55183) if you have a server side component and it explicitly or implicitly exposes a stringified argument you can get the source code for that function. Also found DoS, but reported it to vercel instead of meta and some else reported the next day 🙃 htt

    @AndrewMohawk

    11 Dec 2025

    2673 Impressions

    10 Retweets

    39 Likes

    10 Bookmarks

    4 Replies

    0 Quotes

  28. Two new React Server Component vulnerabilities were just disclosed: 🔹 CVE-2025-55183: Info disclosure via coerced server function args 🔹 CVE-2025-55184: DoS via infinite promise recursion We've deployed Adaptive Security Engine Rapid Rules. Learn more: https://t.co/FhZApc5

    @akamai_research

    11 Dec 2025

    5628 Impressions

    2 Retweets

    8 Likes

    0 Bookmarks

    0 Replies

    2 Quotes

  29. Cloudflare has released new emergency WAF rules addressing the following CVE to enhance customer protection.  * React - Leaking Server Functions (CVE-2025-55183)  * React - DoS (CVE-2025-55184) https://t.co/SdCU2jeMiQ

    @Cloudforce_One

    11 Dec 2025

    1594 Impressions

    5 Retweets

    21 Likes

    3 Bookmarks

    2 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.