CVEFinder.io

CVE-2025-55183

🔶 medium
🔍 Scan for this CVE
Summary

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly

Description

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

CVSS Score
5.3
Medium
EPSS Score
24.6
Exploit Probability
Published Date
2025-12-11
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.8% of all 318,332 vulnerabilities in our database.

#255,199
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Jan 7, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2025-12-12
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

📦 Affected Products 12

Vendor Product Status Affected Versions
facebook react Affected
≥ 19.0.0 < 19.0.2
facebook react Affected
≥ 19.1.0 < 19.1.3
facebook react Affected
≥ 19.2.0 < 19.2.2
vercel next.js Affected
≥ 15.0.0 < 15.0.7
vercel next.js Affected
≥ 15.1.0 < 15.1.11
vercel next.js Affected
≥ 15.2.0 < 15.2.8
vercel next.js Affected
≥ 15.3.0 < 15.3.8
vercel next.js Affected
≥ 15.4.0 < 15.4.10
vercel next.js Affected
≥ 15.5.0 < 15.5.9
vercel next.js Affected
≥ 16.0.0 < 16.0.10
vercel next.js Affected
v15.6.0
vercel next.js Affected
v16.1.0

🔗 References 2

https://react.dev/blog/2025/12/11/denial-of-service-...
Exploit Vendor Advisory
https://www.facebook.com/security/advisories/cve-202...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-27977 🔶 medium 5.4 0.0 Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1... 2026-03-18
CVE-2026-27978 🔶 medium 4.3 0.0 Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1... 2026-03-18
CVE-2026-27979 ⚠️ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1... 2026-03-18
CVE-2026-27980 ⚠️ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 1... 2026-03-18
CVE-2026-29057 🔶 medium 6.5 0.1 Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 1... 2026-03-18
CVE-2026-23864 ⚠️ high 7.5 0.9 Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-ser... 2026-01-26
These CVEs affect the same products