Inform. Leak in React Server Components 19.0.019.2.1 via Server Function: CVE-2025-55183 December 2025

Inform. Leak in React Server Components 19.0.019.2.1 via Server Function
CVE-2025-55183 Published on December 11, 2025

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

Affected Versions

Version 19.0.0, <= 19.0.1 is affected.

Version 19.1.0, <= 19.1.2 is affected.

Version 19.2.0, <= 19.2.1 is affected.

Version 19.0.0, <= 19.0.1 is affected.

Version 19.1.0, <= 19.1.2 is affected.

Version 19.2.0, <= 19.2.1 is affected.

Version 19.0.0, <= 19.0.1 is affected.

Version 19.1.0, <= 19.1.2 is affected.

Version 19.2.0, <= 19.2.1 is affected.

Vulnerable Packages

The following package name and versions may be associated with CVE-2025-55183

Package Manager	Vulnerable Package	Versions	Fixed In
npm	next	>= 16.1.0-canary.0, < 16.1.0-canary.17	16.1.0-canary.17
npm	react-server-dom-webpack	>= 19.1.0, < 19.1.3	19.1.3
npm	react-server-dom-turbopack	>= 19.2.0, < 19.2.2	19.2.2
npm	react-server-dom-turbopack	>= 19.1.0, < 19.1.3	19.1.3
npm	react-server-dom-parcel	>= 19.2.0, < 19.2.2	19.2.2
npm	react-server-dom-parcel	>= 19.1.0, < 19.1.3	19.1.3
npm	react-server-dom-webpack	>= 19.0.0, < 19.0.2	19.0.2
npm	react-server-dom-turbopack	>= 19.0.0, < 19.0.2	19.0.2
npm	react-server-dom-parcel	>= 19.0.0, < 19.0.2	19.0.2
npm	react-server-dom-webpack	>= 19.2.0, < 19.2.2	19.2.2
npm	next	>= 16.0.0-beta.0, < 16.0.9	16.0.9
npm	next	>= 15.6.0-canary.0, < 15.6.0-canary.59	15.6.0-canary.59
npm	next	>= 15.5.1-canary.0, < 15.5.8	15.5.8
npm	next	>= 15.4.0-canary.0, < 15.4.9	15.4.9
npm	next	>= 15.3.0-canary.0, < 15.3.7	15.3.7
npm	next	>= 15.2.0-canary.0, < 15.2.7	15.2.7
npm	next	>= 15.1.1-canary.0, < 15.1.10	15.1.10
npm	next	>= 15.0.0-canary.0, < 15.0.6	15.0.6

Package Manager

Vulnerable Package

Versions

Fixed In

npm

>= 16.1.0-canary.0, < 16.1.0-canary.17

16.1.0-canary.17

npm

react-server-dom-webpack

>= 19.1.0, < 19.1.3

19.1.3

npm

react-server-dom-turbopack

>= 19.2.0, < 19.2.2

19.2.2

npm

react-server-dom-turbopack

>= 19.1.0, < 19.1.3

19.1.3

npm

react-server-dom-parcel

>= 19.2.0, < 19.2.2

19.2.2

npm

react-server-dom-parcel

>= 19.1.0, < 19.1.3

19.1.3

npm

react-server-dom-webpack

>= 19.0.0, < 19.0.2

19.0.2

npm

react-server-dom-turbopack

>= 19.0.0, < 19.0.2

19.0.2

npm

react-server-dom-parcel

>= 19.0.0, < 19.0.2

19.0.2

npm

react-server-dom-webpack

>= 19.2.0, < 19.2.2

19.2.2

npm

>= 16.0.0-beta.0, < 16.0.9

16.0.9

npm

>= 15.6.0-canary.0, < 15.6.0-canary.59

15.6.0-canary.59

npm

>= 15.5.1-canary.0, < 15.5.8

15.5.8

npm

>= 15.4.0-canary.0, < 15.4.9

15.4.9

npm

>= 15.3.0-canary.0, < 15.3.7

15.3.7

npm

>= 15.2.0-canary.0, < 15.2.7

15.2.7

npm

>= 15.1.1-canary.0, < 15.1.10

15.1.10

npm

>= 15.0.0-canary.0, < 15.0.6

15.0.6

Exploit Probability

EPSS

11.81%

Percentile

93.61%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Inform. Leak in React Server Components 19.0.019.2.1 via Server FunctionCVE-2025-55183 Published on December 11, 2025

Affected Versions

Vulnerable Packages

Exploit Probability

Inform. Leak in React Server Components 19.0.019.2.1 via Server Function
CVE-2025-55183 Published on December 11, 2025