Moderate severityOSV Advisory· Published Dec 11, 2025· Updated Jan 7, 2026
CVE-2025-55183
CVE-2025-55183
Description
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-server-dom-parcelnpm | >= 19.0.0, < 19.0.2 | 19.0.2 |
react-server-dom-turbopacknpm | >= 19.0.0, < 19.0.2 | 19.0.2 |
react-server-dom-webpacknpm | >= 19.0.0, < 19.0.2 | 19.0.2 |
react-server-dom-parcelnpm | >= 19.1.0, < 19.1.3 | 19.1.3 |
react-server-dom-parcelnpm | >= 19.2.0, < 19.2.2 | 19.2.2 |
react-server-dom-turbopacknpm | >= 19.1.0, < 19.1.3 | 19.1.3 |
react-server-dom-turbopacknpm | >= 19.2.0, < 19.2.2 | 19.2.2 |
react-server-dom-webpacknpm | >= 19.1.0, < 19.1.3 | 19.1.3 |
react-server-dom-webpacknpm | >= 19.2.0, < 19.2.2 | 19.2.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-925w-6v3x-g4j4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-55183ghsaADVISORY
- github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4ghsaWEB
- react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-componentsghsax_refsource_CONFIRMWEB
- www.facebook.com/security/advisories/cve-2025-55183ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.