Intel/AIKIDO-2025-10937
next
AIKIDO-2025-10937
next is vulnerable to Source Code Exposure
Source Code ExposureCVE-2025-55183 Published Dec 12, 2025
53
Medium Risk
This Affects:
next15.0.0 - 15.0.6
Fixed in 15.0.715.1.1 - 15.1.10
Fixed in 15.1.1115.2.0 - 15.2.7
Fixed in 15.2.815.3.0 - 15.3.7
Fixed in 15.3.815.4.0 - 15.4.9
Fixed in 15.4.1015.5.1 - 15.5.8
Fixed in 15.5.916.0.0 - 16.0.9
Fixed in 16.0.10Are you affected? Scan for Free
TL;DR
A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.
Who does this affect?
If your application uses the App Router
Background info
next is vulnerable to Source Code Exposure in versions 15.0.0 - 15.0.6, 15.1.1 - 15.1.10, 15.2.0 - 15.2.7, 15.3.0 - 15.3.7, 15.4.0 - 15.4.9, 15.5.1 - 15.5.8 and 16.0.0 - 16.0.9.
How to fix this
Upgrade Next to the patch version.
Links
nextjs.org/blog/security-update-2025-12-11https://nextjs.org/blog/security-update-2025-12-11
react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-componentshttps://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
facebook.com/security/advisories/cve-2025-55183https://www.facebook.com/security/advisories/cve-2025-55183
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
Resources
Industries
Use Cases
Compare
© 2026 Aikido Security BV | BE0792914919
Keizer Karelstraat 15, 9000, Ghent, Belgium
95 Third St, 2nd Fl, San Francisco, CA 94103, US
Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK
Ghent, Belgium | San Francisco, US
SOC 2Compliant
ISO 27001Compliant