CVE-2025-55183

Dec. 12, 2025, 6:18 p.m.

5.3
Medium

Description

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Product(s) Impacted

Vendor Product Versions
Facebook
  • React
  • *
Vercel
  • Next.js
  • *, 15.6.0, 16.1.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a facebook react / / / / / / / /
a facebook react / / / / / / / /
a facebook react / / / / / / / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js / / / / / node.js / /
a vercel next.js 15.6.0 - / / / node.js / /
a vercel next.js 15.6.0 canary0 / / / node.js / /
a vercel next.js 15.6.0 canary1 / / / node.js / /
a vercel next.js 15.6.0 canary10 / / / node.js / /
a vercel next.js 15.6.0 canary11 / / / node.js / /
a vercel next.js 15.6.0 canary12 / / / node.js / /
a vercel next.js 15.6.0 canary13 / / / node.js / /
a vercel next.js 15.6.0 canary14 / / / node.js / /
a vercel next.js 15.6.0 canary15 / / / node.js / /
a vercel next.js 15.6.0 canary16 / / / node.js / /
a vercel next.js 15.6.0 canary17 / / / node.js / /
a vercel next.js 15.6.0 canary18 / / / node.js / /
a vercel next.js 15.6.0 canary19 / / / node.js / /
a vercel next.js 15.6.0 canary2 / / / node.js / /
a vercel next.js 15.6.0 canary20 / / / node.js / /
a vercel next.js 15.6.0 canary21 / / / node.js / /
a vercel next.js 15.6.0 canary22 / / / node.js / /
a vercel next.js 15.6.0 canary23 / / / node.js / /
a vercel next.js 15.6.0 canary24 / / / node.js / /
a vercel next.js 15.6.0 canary25 / / / node.js / /
a vercel next.js 15.6.0 canary26 / / / node.js / /
a vercel next.js 15.6.0 canary27 / / / node.js / /
a vercel next.js 15.6.0 canary28 / / / node.js / /
a vercel next.js 15.6.0 canary29 / / / node.js / /
a vercel next.js 15.6.0 canary3 / / / node.js / /
a vercel next.js 15.6.0 canary30 / / / node.js / /
a vercel next.js 15.6.0 canary31 / / / node.js / /
a vercel next.js 15.6.0 canary32 / / / node.js / /
a vercel next.js 15.6.0 canary33 / / / node.js / /
a vercel next.js 15.6.0 canary34 / / / node.js / /
a vercel next.js 15.6.0 canary35 / / / node.js / /
a vercel next.js 15.6.0 canary36 / / / node.js / /
a vercel next.js 15.6.0 canary37 / / / node.js / /
a vercel next.js 15.6.0 canary38 / / / node.js / /
a vercel next.js 15.6.0 canary39 / / / node.js / /
a vercel next.js 15.6.0 canary4 / / / node.js / /
a vercel next.js 15.6.0 canary40 / / / node.js / /
a vercel next.js 15.6.0 canary41 / / / node.js / /
a vercel next.js 15.6.0 canary42 / / / node.js / /
a vercel next.js 15.6.0 canary43 / / / node.js / /
a vercel next.js 15.6.0 canary44 / / / node.js / /
a vercel next.js 15.6.0 canary45 / / / node.js / /
a vercel next.js 15.6.0 canary46 / / / node.js / /
a vercel next.js 15.6.0 canary47 / / / node.js / /
a vercel next.js 15.6.0 canary48 / / / node.js / /
a vercel next.js 15.6.0 canary49 / / / node.js / /
a vercel next.js 15.6.0 canary5 / / / node.js / /
a vercel next.js 15.6.0 canary50 / / / node.js / /
a vercel next.js 15.6.0 canary51 / / / node.js / /
a vercel next.js 15.6.0 canary52 / / / node.js / /
a vercel next.js 15.6.0 canary53 / / / node.js / /
a vercel next.js 15.6.0 canary54 / / / node.js / /
a vercel next.js 15.6.0 canary55 / / / node.js / /
a vercel next.js 15.6.0 canary56 / / / node.js / /
a vercel next.js 15.6.0 canary57 / / / node.js / /
a vercel next.js 15.6.0 canary58 / / / node.js / /
a vercel next.js 15.6.0 canary59 / / / node.js / /
a vercel next.js 15.6.0 canary6 / / / node.js / /
a vercel next.js 15.6.0 canary7 / / / node.js / /
a vercel next.js 15.6.0 canary8 / / / node.js / /
a vercel next.js 15.6.0 canary9 / / / node.js / /
a vercel next.js 16.1.0 - / / / node.js / /
a vercel next.js 16.1.0 canary0 / / / node.js / /
a vercel next.js 16.1.0 canary1 / / / node.js / /
a vercel next.js 16.1.0 canary10 / / / node.js / /
a vercel next.js 16.1.0 canary11 / / / node.js / /
a vercel next.js 16.1.0 canary12 / / / node.js / /
a vercel next.js 16.1.0 canary13 / / / node.js / /
a vercel next.js 16.1.0 canary14 / / / node.js / /
a vercel next.js 16.1.0 canary15 / / / node.js / /
a vercel next.js 16.1.0 canary16 / / / node.js / /
a vercel next.js 16.1.0 canary17 / / / node.js / /
a vercel next.js 16.1.0 canary18 / / / node.js / /
a vercel next.js 16.1.0 canary2 / / / node.js / /
a vercel next.js 16.1.0 canary3 / / / node.js / /
a vercel next.js 16.1.0 canary4 / / / node.js / /
a vercel next.js 16.1.0 canary5 / / / node.js / /
a vercel next.js 16.1.0 canary6 / / / node.js / /
a vercel next.js 16.1.0 canary7 / / / node.js / /
a vercel next.js 16.1.0 canary8 / / / node.js / /
a vercel next.js 16.1.0 canary9 / / / node.js / /

References

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
https://www.facebook.com/security/advisories/cve-2025-55183

Tags

cve-assign@fb.com
2025-12-11
CVE-2025-55183

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: Dec. 11, 2025, 8:16 p.m.
Last Modified: Dec. 12, 2025, 6:18 p.m.

Status : Analyzed

Source

cve-assign@fb.com

Relations

Here is the list of observables linked to the vulnerability CVE-2025-55183 using threat intelligence.

  • ANGRYREBEL.LINUX
  • HISONIC
  • SNOWLIGHT
  • XMRig
  • MINOCAT
  • COMPOOD

Linked Attack Reports

Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)

A critical remote code execution vulnerability in React Server Components, CVE-2025-55182, has been widely exploited by various threat actors. China-nexus espionage groups and financially motivated actors have been observed leveraging this vulnerability to deploy malware such as MINOCAT tunneler, S…
remote code execution
CVE-2025-55182
react2shell
2025-12-13
Published: December 13, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-55184 (CVSS 7.5), CVE-2025-55183 (CVSS 5.3), CVE-2025-67779 (CVSS 7.5)
Downloadable IOCs: 7

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.