React/Next JS (CVE-2025-55182 / CVE-2025-66478)

General
1

Hi,

vite is using React internally, but not Next.js right?

There are new CVE React/Next JS (CVE-2025-55182 / CVE-2025-66478). In package.json and package-lock.json i see some react dependencies:

@types/react”: “18.3.26”,
@types/react-dom”: “18.3.7”,
@vitejs/plugin-react”: “4.7.0”,

From the CVE description only versions 19.x are a problem. So it looks fine to me.

Does anyone has some input to this topic?

2

That CVE is only relevant when React is running on a Node.js server, which isn’t the case with Vaadin. And as you noticed, it’s only affecting React 19 whereas Vaadin 24 by default uses React 18.

3 Likes
3

Thanks for clarifying/confirming :)