Home

Description

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

PUBLISHED Reserved 2025-08-08 | Published 2025-12-11 | Updated 2025-12-11 | Assigner Meta




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

(CWE-502) Deserialization of Untrusted Data. (CWE-497) Exposure of Sensitive System Information to an Unauthorized Actor

Product status

Default status
unaffected

19.0.0 (semver)
affected

19.1.0 (semver)
affected

19.2.0 (semver)
affected

Default status
unaffected

19.0.0 (semver)
affected

19.1.0 (semver)
affected

19.2.0 (semver)
affected

Default status
unaffected

19.0.0 (semver)
affected

19.1.0 (semver)
affected

19.2.0 (semver)
affected

References

www.facebook.com/security/advisories/cve-2025-55183

react.dev/...source-code-exposure-in-react-server-components

cve.org (CVE-2025-55183)

nvd.nist.gov (CVE-2025-55183)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.