CVE-2023-5752
Source Code Exposure vulnerability in pip (PyPI)
What is CVE-2023-5752 About?
This is a source code exposure vulnerability affecting React Server Components in specific versions of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. It allows for the exposure of application source code to unauthorized parties. The vulnerability is considered critical by React and requires immediate patching due to its straightforward nature of exploitation.
Affected Software
Technical Details
The vulnerability lies within React Server Components versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 of the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages. These versions presumably contain an oversight in how they handle or serve server-side code, leading to an unintended disclosure of source files. This could involve improper access control, path traversal, or misconfiguration in how these components resolve and serve application assets, allowing a client to request and retrieve the underlying source code that should remain server-side.
What is the Impact of CVE-2023-5752?
Successful exploitation may allow attackers to gain unauthorized access to an application's source code, which can reveal sensitive business logic, intellectual property, API keys, database schemas, or other critical internal details that could be leveraged for further attacks or competitive advantage.
What is the Exploitability of CVE-2023-5752?
Exploitation of this vulnerability likely involves crafting specific HTTP requests to the React Server Components endpoint. The complexity level is expected to be low to moderate, given that it's a source code exposure. No specific prerequisites beyond the vulnerable versions of the React Server Components packages being in use are mentioned. Authentication requirements are likely minimal or none, as the exposure itself might stem from a flaw in how public-facing components handle requests for resources. This is a remote attack, and attackers do not need local access to the system. Special conditions include the application actively using React Server Components with one of the affected packages. The primary risk factor is the deployment of vulnerable React applications online.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-5752?
Available Upgrade Options
- pip
- <23.3 → Upgrade to 23.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65UKKF5LBHEFDCUSPBHUN4IHYX7SRMHH
- https://github.com/pypa/pip/pull/12306
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/
- https://lists.debian.org/debian-lts-announce/2025/10/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FXUVMJM25PUAZRQZBF54OFVKTY3MINPW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/622OZXWG72ISQPLM5Y57YCVIMWHD4C3U
What are Similar Vulnerabilities to CVE-2023-5752?
Similar Vulnerabilities: CVE-2021-41221 , CVE-2021-21398 , CVE-2020-13936 , CVE-2019-19918 , CVE-2018-15688
