Exposure of Sensitive System Information to an Unauthorized Control Sphere Affecting react-server-dom-webpack package, versions >=19.0.0 <19.0.2>=19.1.0 <19.1.3>=19.2.0 <19.2.2
Threat Intelligence
This vulnerability is trending on Twitter; this may indicate a growing threat.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-REACTSERVERDOMWEBPACK-14400641
- published12 Dec 2025
- disclosed11 Dec 2025
- creditAndrew MacPherson
Introduced: 11 Dec 2025
NewCVE-2025-55183 (opens in a new tab)How to fix?
Upgrade react-server-dom-webpack to version 19.0.2, 19.1.3, 19.2.2 or higher.
Overview
react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly.
Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere. An attacker can access the source code of any Server Function by sending a malicious HTTP request to a vulnerable Server Function.
Notes:
This is only exploitable if a Server Function exists that explicitly or implicitly exposes a stringified argument:
'use server';export async function serverFunction(name) { const conn = db.createConnection('SECRET KEY'); const user = await conn.createUser(name); // implicitly stringified, leaked in db
return { id: user.id, message:Hello, ${name}!// explicitly stringified, leaked in reply }}
An attacker may be able to leak the following:
0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"}
1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"}
Secrets hardcoded in source code may be exposed, but runtime secrets such as process.env.SECRET are not affected.
The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides.
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.
For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.
If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native. See this issue for more information.