React Server Components source code leak security flaw (CVE-2025-55183)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-55183 discloses a React Server Components information leak that could expose the source code of any Server Function in affected react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack builds. The flaw matters because a crafted HTTP request can trigger the leak on vulnerable Server Function endpoints, and fixes are now available.
Cases
Related Happenings
React2Shell exploitation campaign delivering EtherRAT
Campaign
First: 09.12.2025 19:15
Last: 09.12.2025 19:15
Sources 1
About this happening:
The **React2Shell** exploitation campaign now goes beyond initial access, with attackers dropping **EtherRAT** and other post-exploit tooling to keep long-term access. The activit...
React2Shell exploitation campaign delivering EtherRAT
CampaignAbout this happening: The **React2Shell** exploitation campaign now goes beyond initial access, with attackers dropping **EtherRAT** and other post-exploit tooling to keep long-term access. The activit...
CISA KEV listing and federal deadline for React2Shell
Public Sector Action
First: 06.12.2025 13:40
Last: 06.12.2025 13:40
Sources 1
About this happening:
CISA added **CVE-2025-55182** to the **KEV catalog** after reports of **active exploitation** of **React Server Components**. The listing turns the **React2Shell** flaw into a fed...
CISA KEV listing and federal deadline for React2Shell
Public Sector ActionAbout this happening: CISA added **CVE-2025-55182** to the **KEV catalog** after reports of **active exploitation** of **React Server Components**. The listing turns the **React2Shell** flaw into a fed...
React/Next.js RSC Flight insecure deserialization RCE (multiple vulnerabilities)
Vulnerability
First: 04.12.2025 17:11
Last: 04.12.2025 17:11
Sources 1
About this happening:
**React2Shell** in the **React Server Components (RSC) Flight protocol** is being exploited in the wild to achieve **unauthenticated remote code execution** in **React** and **Nex...
React/Next.js RSC Flight insecure deserialization RCE (multiple vulnerabilities)
VulnerabilityAbout this happening: **React2Shell** in the **React Server Components (RSC) Flight protocol** is being exploited in the wild to achieve **unauthenticated remote code execution** in **React** and **Nex...
Latest development: 09.12.2025 20:25
North Korea-linked threat actors are likely exploiting CVE-2025-55182 in affected React Server Components (RSC) deployments to execute a Base64-encoded shell command, download a shell script, fetch Node.js v20.10.0 from nodejs.org, and deploy the EtherRAT remote access trojan with Ethereum smart contract-based C2 resolution.
Timeline
-
12.12.2025 10:55 2 articles · 5mo ago
React Server Components source code leak fixes
Initial DisclosureReact team released fixes for React Server Components vulnerabilities affecting react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack, including CVE-2025-55183, an information leak that can cause a crafted HTTP request sent to a vulnerable Server Function to return the source code of any Server Function. Successful exploitation requires a Server Function that explicitly or implicitly exposes an argument converted into a string, and operators are advised to upgrade to 19.0.3, 19.1.4, or 19.2.3.
Show sources
- New React RSC Vulnerabilities Enable DoS and Source Code Exposure — thehackernews.com — 12.12.2025 10:55
- New React RSC Vulnerabilities Enable DoS and Source Code Exposure — thehackernews.com — 12.12.2025 10:55