CVEFinder.io

CVE-2025-55183

đŸ”ļ medium
🔍 Scan for this CVE
Summary

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly

Description

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

CVSS Score
5.3
Medium
EPSS Score
24.6
Exploit Probability
Published Date
2025-12-11
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.8% of all 323,894 vulnerabilities in our database.

#259,746
Below average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: Jan 7, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙ī¸ Automatable
YES
Can be exploited automatically
đŸ’Ĩ Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2025-12-12
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

đŸ“Ļ Affected Products 12

Vendor Product Status Affected Versions
facebook react Affected
≥ 19.0.0 < 19.0.2
facebook react Affected
≥ 19.1.0 < 19.1.3
facebook react Affected
≥ 19.2.0 < 19.2.2
vercel next.js Affected
≥ 15.0.0 < 15.0.7
vercel next.js Affected
≥ 15.1.0 < 15.1.11
vercel next.js Affected
≥ 15.2.0 < 15.2.8
vercel next.js Affected
≥ 15.3.0 < 15.3.8
vercel next.js Affected
≥ 15.4.0 < 15.4.10
vercel next.js Affected
≥ 15.5.0 < 15.5.9
vercel next.js Affected
≥ 16.0.0 < 16.0.10
vercel next.js Affected
v15.6.0
vercel next.js Affected
v16.1.0

🔗 References 2

https://react.dev/blog/2025/12/11/denial-of-service-...
Exploit Vendor Advisory
https://www.facebook.com/security/advisories/cve-202...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44572 ℹī¸ low 3.7 0.0 Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an exte... 2026-05-13
CVE-2026-44573 ⚠ī¸ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applica... 2026-05-13
CVE-2026-44574 ⚠ī¸ high 8.1 0.0 Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applica... 2026-05-13
CVE-2026-44575 ⚠ī¸ high 7.5 0.0 Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Rou... 2026-05-13
CVE-2026-44576 đŸ”ļ medium 5.4 0.0 Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applica... 2026-05-13
CVE-2026-44578 ⚠ī¸ high 8.6 4.0 Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-h... 2026-05-13
These CVEs affect the same products