Detections
Analytics

CVE-2025-55183

medium

Description

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

References

https://cyberscoop.com/react2shell-vulnerability-fallout-spreads/

https://www.theregister.com/2025/12/15/react2shell_flaw_china_iran/

https://www.securityweek.com/google-sees-5-chinese-groups-exploiting-react2shell-for-malware-delivery/

https://www.databreachtoday.com/nation-state-cybercrime-exploits-tied-to-react2shell-a-30285

https://www.theregister.com/2025/12/12/new_react_secretleak_bugs/

https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

https://nextjs.org/blog/security-update-2025-12-11

https://www.facebook.com/security/advisories/cve-2025-55183

Details

Source: Mitre, NVD

Published: 2025-12-11

Updated: 2025-12-12

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00057