All vulnerability reports

React 19 Server Components Critical Vulnerability (CVE-2025-55182)

Overview

On December 3, 2025, the React team disclosed a critical remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) affecting React 19 Server Components. This vulnerability has raised concerns among Vaadin users and security scanning tools.

Vaadin products are not affected by this vulnerability under normal deployment configurations. This advisory clarifies Vaadin's architecture and identifies the rare circumstances where action might be needed.

Description

CVE-2025-55182 is a critical vulnerability in React 19's Server Components implementation. An unauthenticated attacker can craft malicious HTTP requests to React Server Function endpoints that, when deserialized by React running on a Node.js server, achieve remote code execution.

Affected React Packages and Versions

 

The following React packages are vulnerable in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:

  • - react-server-dom-webpack
    - react-server-dom-parcel
    - react-server-dom-turbopack

Exploitation Requirements

To be vulnerable, an application must:

  1. 1. Use React 19.x (versions listed above)
  2. 2. Implement React Server Components
  3. 3. Run React on a Node.js server process that handles server-side rendering
  4. 4. Expose React Server Function endpoints to HTTP requests

Impact to Vaadin and why standard deployments are not vulnerable

Vaadin products use a fundamentally different architecture than the vulnerable React Server Components pattern:

  1. 1. Java/Spring Boot Backend: Vaadin applications run on the JVM with Java or Kotlin backends, not Node.js
  2. 2. Browser-Only React: In Vaadin applications, React code executes exclusively in the user's browser
  3. 3. No React Server Components: Vaadin does not use React Server Components in its architecture
  4. 4. No React Server Process: There is no React-based server process handling server-side rendering or Server Functions

  • Why we are not vulnerable

The CVE-2025-55182 vulnerability requires React code to run on a Node.js server and process incoming HTTP requests. Vaadin's architecture prevents this:

  • - Server Layer: Vaadin Flow uses Java servlets and optionally Spring Boot. All server-side logic executes in the JVM.
  • - Client Layer: React components in Vaadin run entirely in the browser as standard client-side React applications.
  • - Communication: Vaadin handles client-server communication through its own type-safe RPC mechanism, not React Server Functions.

Potentially Affected Scenarios


You might be affected **only if ALL of the following conditions apply to your deployment:**

  1. 1. You are using Vaadin 24.x with the React 19 feature flag explicitly enabled
  2. 2. You have manually added React Server Components to your application
  3. 3. You are running a separate, custom Node.js server process for React server-side rendering
  4. 4. Your Node.js server exposes React Server Function endpoints to external requests

This configuration requires significant custom development beyond standard Vaadin usage and is extremely rare.

Affected Products

Product Configuration StatusStatus
Vaadin Flow 24.x Default configuration Not affected
Vaadin Flow 24.x With React 19 feature flag Not affected (unless running custom Node.js server with RSC)
Hilla React-based projects Not affected (client-side React only)
Vaadin 25.x All configurations Not affected (same architecture as 24.x)

Customer Guidance

  • For Standard Vaadin Users (99.9% of deployments)

  • No action required. Your Vaadin application uses Java on the server and React in the browser only. You are not vulnerable to CVE-2025-55182.

For Users Who Enabled React 19 Feature Flag


1. Review your deployment architecture:

  •    - Do you have a Node.js server process running alongside your Java application?
  •    - Have you implemented React Server Components?
  •    - Are React Server Function endpoints exposed to HTTP requests?

2. If you answered "yes" to all three questions above:

  •    - Upgrade your React packages to patched versions: 19.0.1, 19.1.2, or 19.2.1
  •    - Review your Node.js server security configuration
  •    - Consider whether React Server Components are necessary for your use case

3. If you answered "no" to any question:

   - You are not affected; no action required

  • For Security Teams and Compliance Officers

If dependency scanning tools flag CVE-2025-55182 for your Vaadin application:

  1. 1. Understand the architecture: Vaadin runs React in the browser, not on the server
  2. 2. Share this advisory: Use this document to clarify why the vulnerability does not apply
  3. 3. Verify deployment: Confirm no custom Node.js server processes are running React Server Components
  4. 4. Consider false positive: Most security scanners detect React 19 as a dependency but cannot analyze whether it runs server-side

  • For Organizations Using Dependency Scanners

Security scanners may flag React 19 as a dependency and report CVE-2025-55182 as critical. This is technically accurate for the dependency but contextually a false positive for standard Vaadin deployments because:

  • - The vulnerable code path (React Server Components on Node.js) is not used by Vaadin
- React executes only in the browser, where the vulnerability cannot be exploited
  • - No React Server Function endpoints exist in typical Vaadin applications

Recommendations

  1. 1. Document your architecture: Clearly document that your Vaadin application uses Java/Spring Boot for server-side logic
  2. 2. Review custom integrations: If you have custom Node.js services, verify they don't use vulnerable React versions
  3. 3. Stay informed: Monitor Vaadin security advisories at https://vaadin.com/security
  4. 4. Update dependencies: Keep Vaadin and all dependencies updated to receive security patches

References

History

  • 2025-12-09: Initial vulnerability report published