nginx-proxy-manager React CVE score 10.0!

Is NPM impacted?!?! https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Dec 06 '25 15:12 posta246

I wonder as well

Dec 06 '25 21:12 onelots

I recieved cloud provider's warning mail. I think the problem is from NPM

Dec 07 '25 05:12 magicmayu

Latest version of NPM is using Next Server 15.5.4 and according to this Reddit post, 15.5.7 has the fix. I am killing my NPM container for the time being until a quick fix is released on the NPM side.

Edit: taking a second glance it was paperlessngx with this issue. I apologize for misleading you all.

Dec 08 '25 01:12 pollocluck

Latest version of NPM is using Next Server 15.5.4 and according to this Reddit post, 15.5.7 has the fix. I am killing my NPM container for the time being until a quick fix is released on the NPM side.

Where do you see 15.5.4 ??

Dec 08 '25 14:12 sopex

Is there an easy way to replace the affected lib?

Dec 08 '25 16:12 posta246

Hope jc21 is ok and can fix it as soon as he can.

Dec 08 '25 16:12 posta246

apparently yes it is, from package.json it is using react ^19.2.0 which is vulnerable I believe rebuilding their image could be enough since they are using ^19.2.0 (depending on the dockerfile and the CI)

I dont understand if react is used client side or server side. The cve refers to this second case.

Dec 08 '25 17:12 posta246

Latest version of NPM is using Next Server 15.5.4 and according to this Reddit post, 15.5.7 has the fix. I am killing my NPM container for the time being until a quick fix is released on the NPM side.

Where do you see 15.5.4 ??

Whoops, you are right. I updated my response to reflect that.

Dec 08 '25 17:12 pollocluck

Someone actually providing proof that any of the affected packages are used...?

Dec 08 '25 17:12 sopex

apparently yes it is, from package.json it is using react ^19.2.0 which is vulnerable I believe rebuilding their image could be enough since they are using ^19.2.0 (depending on the dockerfile and the CI)

I dont understand if react is used client side or server side. The cve refers to this second case.

oh, yeah you are right totally missed that part sorry

Dec 08 '25 17:12 ViNoS-ab

it is just statically built and served by nginx

Dec 08 '25 17:12 ViNoS-ab

Isn’t it only the server that’s affected when the following packages are involved?

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

The package.json of NPM does not have any of these.

Dec 09 '25 12:12 Ed1ks

Affected frameworks and bundlers Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

pretty sure react router is a dependency as well

Dec 09 '25 16:12 krutoileshii

Anyone know if NPM is affected or not ?

Dec 09 '25 21:12 apateluk

react router is a dependency but npm does not use rsc mode as much as I can see.

Dec 09 '25 21:12 Ed1ks

Anyone know if NPM is affected or not ?

I believe it's not : this is the build script

and this is how it is served via nginx

so it is fully client side, the JS script runs only on the client side, so no react server components are being used

Dec 09 '25 21:12 ViNoS-ab

The Maintainer should still update npm asap. If Affected or probably not is too high risk if the fix is just an update of some deps.

Dec 10 '25 05:12 Ed1ks

anyone want to slap a PR for this?

Dec 11 '25 22:12 krutoileshii

New CVEs dropped

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components

Dec 13 '25 02:12 krutoileshii