Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-55183

Опубликовано: 11 дек. 2025
Источник: redhat
CVSS3: 5.3
EPSS Средний

Описание

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

A flaw was found in React Server Components (RSC). This vulnerability allows an information leak, where a specifically crafted HTTP (Hypertext Transfer Protocol) request to a vulnerable Server Function can unsafely return its source code. Exploitation requires a Server Function that explicitly or implicitly exposes a stringified argument. A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

Отчет

No Red Hat software includes the directly affected React Server Components packages (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack). However, the reference implementation of React Server Components is used by other projects such as Next.js. The packages listed here include Next.js as a dependency, but our analysis indicates that they are not affected by the vulnerability as they do not use the App Router functionality that exposes endpoints serving the vulnerable protocol that can return the compiled source code of Server Functions.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10firefoxNot affected
Red Hat Enterprise Linux 10thunderbirdNot affected
Red Hat Enterprise Linux 7firefoxNot affected
Red Hat Enterprise Linux 8firefoxNot affected
Red Hat Enterprise Linux 8thunderbirdNot affected
Red Hat Enterprise Linux 9dotnet7.0Not affected
Red Hat Enterprise Linux 9firefoxNot affected
Red Hat Enterprise Linux 9thunderbirdNot affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/bootc-cuda-rhel9Not affected
Red Hat Enterprise Linux AI (RHEL AI) 3rhelai3/disk-image-cuda-rhel9Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-497
https://bugzilla.redhat.com/show_bug.cgi?id=2421590next: React Server Components: Source code exposure through crafted HTTP request

EPSS

Процентиль: 96%
0.23425
Средний

5.3 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2025-55183

CVSS3: 5.3
nvd
3 месяца назад

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

github логотип

GHSA-925w-6v3x-g4j4

CVSS3: 5.3
github
3 месяца назад

Source Code Exposure Vulnerability in React Server Components

EPSS

Процентиль: 96%
0.23425
Средний

5.3 Medium

CVSS3