Vulnerability DatabaseCVE-2025-55183

CVE-2025-55183:
React Server Components vulnerability analysis and mitigation

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

5.3

Score

Published December 11, 2025

Severity MEDIUM

CNA Score 5.3

High-profile Vulnerability Yes

Affected Technologies

React Server Components
Next.js

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 94.1

Exploitation Probability (EPSS) 14.1

Affected packages and libraries

react-server-dom-parcel
react-server-dom-turbopack

Sources

NVD
GitHub Advisory Database
- npm Severity MEDIUMHas FixAdded at: Dec 12, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related React Server Components vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-55182	CRITICAL	10	JavaScript	waku	Yes	Yes	Dec 03, 2025
CVE-2025-67779	HIGH	7.5	React Server Components	@vitejs/plugin-rsc	No	Yes	Dec 12, 2025
CVE-2025-55184	HIGH	7.5	React Server Components	next	No	Yes	Dec 11, 2025
CVE-2025-55183	MEDIUM	5.3	React Server Components	react-server-dom-parcel	No	Yes	Dec 11, 2025