Litium security update 2025-12-05

Affected versions

The third party component React version 19.0.0 - 19.2.0

Impact

Under certain conditions, specially crafted requests could lead to unauthenticated remote code execution (RCE), making it a critical, high-severity issue.

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Read more at CVE-2025-55182

Recommended actions

1. Verify whether your solution uses React versions 19.0.0–19.2.0 or packages affected by CVE-2025-55182.
2. Update React to a patched version immediately, following React’s official remediation guidance.
3. If you are using components originating from the Litium React Accelerator, update to the latest accelerator version, which includes the security fix.
4. Redeploy your application after patching to ensure the updated components are active.
5. Review logs and monitor your environment for any suspicious activity as a precaution.

Litium React Accelerator

The Litium React Accelerator has been patched in version 1.11.1 (see Bug 74384).