I wanted to let you all know that we are aware of high-severity vulnerability in React Server Components. This vulnerability is assigned a CVSS score of 10.0 due to ability to trigger unauthenticated remote code execution.
This appears to affect a significant number of Cloud applications and may appear in custom in-house applications as well.
The BigFix team is examining both detection methods and our own applications. At this point we do not have any indication that any BigFix products are vulnerable. We will update this post if that changes, and add discussion for potential detection methods as they become available.
3 Likes
@ArturZ has provided custom signatures for BigFix Inventory that are a first-pass at detecting the affected React Server Components. Consider this a rapid-release 'best effort' and subject to the same caveats as our early-release for Log4j detections at Log4j Vulnerability Identification and 3rd Party Remediation Solution Testing Statement . Which is to say, I give Artur all of the thanks and none of the blame 
Known-issue is that at this time, the signatures only detect the direct installation of the react-server-components; I expect the do not detect the bundled versions provided by 'next' or 'vitejs-plugin-rsc', but may well detect the bundled versions that are loaded as dependencies for 'react-router', 'expo', or 'redwood sdk'. If any of you are running known versions of any of those products, I'd greatly appreciate your feedback on scan results.
The process for using both of custom signatures is the same:
- Download the signature file from URL provided under every type of discovery described.
- Login to BigFix Inventory.
- Go to Management → Catalog Customization.
- Import the file with the custom signature.
- Run an import process.
- Make sure that the catalog was propagated to the endpoints (automatically created action for propagation the endpoint executed on all applicable endpoints).
- Run a software scan on the endpoints.
- Ensure the Upload Software Scan Result fixlet is running.
- Run an import process to import the scan results.
- Verify the results on the reports.
1 Like
That’s very useful!!! Just wanted to ask - would it be possible to potentially create signtures for Next.js & vitejs as products rather than hoping to capture react server as subcomponent?
Hi Jason,
Our security tool is detecting Bigfix Webui component vulnerable for this vulnerbility. can you please suggest the fix?
CVE-2025-55182
The library react version 19.0.0 was detected in NPM library manager located at E:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI\sites\Pending\WebUI Insights_13762_27_1740771155\insights-app\package-lock.json on line 9905 and is vulnerable to CVE-2025-55182, which exists in versions >= 19.0.0, < 19.0.1.
is there any analysis as well to detect using Bigfix Lifecycle?
We are working on a set of Task, Analysis, and Fixlet to scan for and report affected React components. This will use BigFix Scanner, the standalone component common to Inventory and the Known Exploited Vulnerabilities content pack. Watch this space for announcements.
1 Like
I believe this to be a false positive but will verify and follow-up
I have obtained a copy of this file. The stanza around line 9905 contains
"node_modules/react": {
"version": "19.0.0",
"integrity": "sha512-V8AVnmPIICiWpGfm6GLzCR/W5FXLchHop40W4nXBmdlEceh16rCN8O8LNWm5bh5XUX91fh7KpA+W0TgMKmgTpQ==",
"peer": true,
"engines": {
"node": ">=0.10.0"
}
},
This seems pretty clearly a false-positive to me. While we do have 'react', the vulnerability is not in React as a whole, but only in specific components where React is used as a server - specifically in the following packages, or in any of several frameworks that include them:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
We are not using any react-server components in that file, nor, I believe, in any of our other BigFix offerings. I'll update here if I find otherwise, if I missed a response on an audit.
2 Likes