Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-925w-6v3x-g4j4: Source Code Exposure Vulnerability in React Server Components

Impact

There is a source code exposure vulnerability in React Server Components.

React recommends updating immediately.

The vulnerability exists in versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of:

These issues are present in the patches published last week.

Patches

Fixes were back ported to versions 19.0.2, 19.1.3, and 19.2.2.

If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

References

See the blog post for more information and upgrade instructions.

ghsa
Open in Source
#vulnerability#web#dos#nodejs#js#git#intel

Skip to content

Navigation Menu

    • AI CODE CREATION

      • GitHub CopilotWrite better code with AI

      • GitHub SparkBuild and deploy intelligent apps

      • GitHub ModelsManage and compare prompts

      • MCP RegistryNewIntegrate external tools

View all features
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

Appearance settings

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-55183

Source Code Exposure Vulnerability in React Server Components

Moderate severity GitHub Reviewed Published Dec 11, 2025 in facebook/react • Updated Dec 11, 2025

Package

npm react-server-dom-parcel (npm)

Affected versions

>= 19.0.0, < 19.0.2

>= 19.1.0, < 19.1.3

>= 19.2.0, < 19.2.2

Patched versions

19.0.2

19.1.3

19.2.2

npm react-server-dom-turbopack (npm)

>= 19.0.0, < 19.0.2

>= 19.1.0, < 19.1.3

>= 19.2.0, < 19.2.2

npm react-server-dom-webpack (npm)

>= 19.0.0, < 19.0.2

>= 19.1.0, < 19.1.3

>= 19.2.0, < 19.2.2

Description

Impact

There is a source code exposure vulnerability in React Server Components.

React recommends updating immediately.

The vulnerability exists in versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1 of:

  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

These issues are present in the patches published last week.

Patches

Fixes were back ported to versions 19.0.2, 19.1.3, and 19.2.2.

If you are using any of the above packages please upgrade to any of the fixed versions immediately.

If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.

References

See the blog post for more information and upgrade instructions.

References

  • GHSA-925w-6v3x-g4j4
  • https://nvd.nist.gov/vuln/detail/CVE-2025-55183
  • https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  • https://www.facebook.com/security/advisories/cve-2025-55183

Published to the GitHub Advisory Database

Dec 11, 2025

Last updated

Dec 11, 2025

EPSS score

ghsa: Latest News

GHSA-w37m-7fhw-fmv9: Next Server Actions Source Code Exposure
ghsa