24h | 7d | 30d

CVE-2025-55183

Overview

  • Meta
  • react-server-dom-webpack
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
MEDIUM (5.3)
EPSS
1.06%
KEV

Description

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture
ekiledjian @edwardk

New React RSC Vulnerabilities Enable DoS and Source Code Exposure
thehackernews.com/2025/12/new-

The React team has released fixes for two new types of flaws in React Server
Components (RSC) that, if successfully exploited, could result in
denial-of-service (DoS) or source code exposure.

The team said the issues were found by the security community while attempting
to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a
critical bug in RSC that has since been weaponized in the wild.

The three vulnerabilities are listed below -

CVE-2025-55184 (CVSS score: 7.5) - A pre-authentication denial of service
vulnerability arising from unsafe deserialization of payloads from HTTP
requests to Server Function endpoints, triggering an infinite loop that hangs
the server process and may prevent future HTTP requests from being served
CVE-2025-67779 (CVSS score: 7.5) - An incomplete fix for CVE-2025-55184 that
has the same impact
CVE-2025-55183 (CVSS score: 5.3) - An information leak vulnerability that may
cause a specifically crafted HTTP request sent to a vulnerable Server Function
to return the source code of any Server Function

However, successful exploitation of CVE-2025-55183 requires the existence of a
Server Function that explicitly or implicitly exposes an argument that has
been converted into a string format.

  • 0
  • 0
  • 0
  • 5h ago

CVE-2025-67779

Overview

  • Meta
  • react-server-dom-parcel
11 Dec 2025
Published
12 Dec 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.06%
KEV

Description

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture
ekiledjian @edwardk

New React RSC Vulnerabilities Enable DoS and Source Code Exposure
thehackernews.com/2025/12/new-

The React team has released fixes for two new types of flaws in React Server
Components (RSC) that, if successfully exploited, could result in
denial-of-service (DoS) or source code exposure.

The team said the issues were found by the security community while attempting
to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a
critical bug in RSC that has since been weaponized in the wild.

The three vulnerabilities are listed below -

CVE-2025-55184 (CVSS score: 7.5) - A pre-authentication denial of service
vulnerability arising from unsafe deserialization of payloads from HTTP
requests to Server Function endpoints, triggering an infinite loop that hangs
the server process and may prevent future HTTP requests from being served
CVE-2025-67779 (CVSS score: 7.5) - An incomplete fix for CVE-2025-55184 that
has the same impact
CVE-2025-55183 (CVSS score: 5.3) - An information leak vulnerability that may
cause a specifically crafted HTTP request sent to a vulnerable Server Function
to return the source code of any Server Function

However, successful exploitation of CVE-2025-55183 requires the existence of a
Server Function that explicitly or implicitly exposes an argument that has
been converted into a string format.

  • 0
  • 0
  • 0
  • 5h ago
Showing 31 to 32 of 32 CVEs