[CRITICAL] CVE-2025-55182 in React allows remote code execution

[d3vv3]

More info here: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Summary by CodeRabbit

• Chores
  • Updated React and React DOM dependencies to patch version 19.2.1.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated React and React DOM dependencies from ^19.2.0 to ^19.2.1 in frontend/package.json. This is a patch-level version bump with no functional or behavioral changes to the application.

Changes

Cohort / File(s)	Summary
Dependency Updates frontend/package.json	Bumped React and React DOM from ^19.2.0 to ^19.2.1

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

• Simple patch version bump with no logic, API, or behavioral changes
• Straightforward verification: confirm semver notation is correct and both dependencies are updated consistently

Poem

🐰 A hop, skip, and version bump so small,
React nineteen point two point one for all,
No breaking changes, just a patch to embrace,
Tiny improvements in their rightful place! 🎉

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims a critical CVE with remote code execution, but the actual change is only a patch bump from ^19.2.0 to ^19.2.1 with no behavioral changes.	Update the title to accurately reflect the change, such as 'Update React and React DOM to version 19.2.1' or similar, to match the actual changeset scope.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f4f250 and d863399.

⛔ Files ignored due to path filters (1)

• frontend/bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• frontend/package.json (1 hunks)

🔇 Additional comments (1)

frontend/package.json (1)

31-32: Correct security patch for CVE-2025-55182 with sound versioning strategy.

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of React, with fixes introduced in versions 19.0.1, 19.1.2, and 19.2.1. Your patch from ^19.2.0 to ^19.2.1 correctly addresses this critical (CVSS 10.0) RCE vulnerability. The caret operator maintains flexibility for future patch updates while staying within the 19.2.x release line, and the version bump aligns with React and React DOM symmetry.

Type definitions at lines 46-47 (@types/react@^19.2.7 and @types/react-dom@^19.2.3) are compatible with the patched versions.

Verify React Server Components are not in use. If your app's React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability. While your app appears to be client-side only based on the dependency structure, please confirm:

1. React Server Components (RSC) are not enabled in your build configuration or routing setup.
2. If using React Router's experimental RSC APIs, they are not being actively used.
3. Your deployment process correctly propagates the patched dependencies to production (verify package-lock.json and build artifacts are regenerated).

Note on React Router: React Router is listed among affected frameworks. However, React Router RSC mode is affected, and RSC is an experimental/unstable feature in React Router. The dependency ^7.10.0 should resolve to 7.10.1 or later (non-vulnerable), but confirm your app doesn't explicitly enable RSC mode.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[steveiliop56]

Although Tinyauth is not affected by this vulnerability since it's not using any server components, I will merge anyway just to be safe. I will not create a release though.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 23.62%. Comparing base (2f4f250) to head (d863399).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #507   +/-   ##
=======================================
  Coverage   23.62%   23.62%           
=======================================
  Files          36       36           
  Lines        2239     2239           
=======================================
  Hits          529      529           
  Misses       1673     1673           
  Partials       37       37           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.