Information Leak in React Server Components by Meta Platforms
CVE-2025-55183
Key Information:
- Vendor
Meta
- Vendor
- CVE Published:
- 11 December 2025
Badges
What is CVE-2025-55183?
CVE-2025-55183 is an information leak vulnerability identified in specific configurations of React Server Components developed by Meta Platforms. This software framework enables developers to build server-rendered applications with optimized performance and a rich user experience. The vulnerability manifests in versions 19.0.0 through 19.2.1 across various packages, allowing an attacker to exploit a specially crafted HTTP request directed at a vulnerable Server Function. If successful, this could unintentionally reveal the underlying source code of that Server Function, which may include sensitive application logic or data. The ability to expose source code poses a considerable risk, as it can undermine the integrity of the application and enable further attacks.
Potential impact of CVE-2025-55183
-
Sensitive Data Exposure: The most immediate concern is that the vulnerability may lead to the unintentional exposure of source code, potentially disclosing sensitive information such as API keys, authentication tokens, or proprietary algorithms utilized in the application.
-
Increased Attack Surface: By leaking source code, attackers gain invaluable insights into the application's structure and functionality. This could facilitate advanced threat profiles and customized exploits, significantly increasing the potential for further attacks on the affected system.
-
Reputational Damage and Trust Erosion: Organizations affected by this vulnerability may face reputational harm, particularly if source code exposure leads to data breaches or security incidents. This could erode customer trust and impact future business opportunities, as clients may become cautious regarding the security practices of the organization.
Affected Version(s)
react-server-dom-parcel 19.0.0 <= 19.0.1
react-server-dom-parcel 19.1.0 <= 19.1.2
react-server-dom-parcel 19.2.0 <= 19.2.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
AwazLiveCVE-2025-55183No, GPT-5.1 Didnβt Save React: The Viral Lie Exposed
On December 19, a claim from fintech commentator Wes Roth moved through the security community on X with the speed of a zero-day exploit.ContentsA Verified Bug, An Unverified BackstoryInside CVE-2025-55183: The Technical RealityThe Attribution WarsA Warning Shot βAI just helped patch the real web.β ...
3 weeks ago
CVE-2025-55183 and CVE-2025-55184: New React RSC Vulnerabilities Expose Applications to Denial of Service Attacks and Source Code Leaks | SOC Prime
Explore details for CVE-2025-55183 and CVE-2025-55184, React RSC vulnerabilities enabling DoS and source disclosure, with an analysis on SOC Prime blog.
4 weeks ago
Three New React Vulnerabilities Surface on the Heels of React2Shell
New React vulnerabilities widen the impact of React2Shell, exposing risks from RCE to DoS and source leaks. Teams must upgrade and mitigate immediately.
1 month ago
References
EPSS Score
12% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π
Vulnerability started trending
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π°
First article discovered by The Cloudflare Blog
Vulnerability published
Vulnerability Reserved