Docusaurus uses React... what about CVE-2025-55182? #11602

pombredanne · 2025-12-05T14:43:29Z

pombredanne
Dec 5, 2025

Is docusaurus exposed to CVE-2025-55182 https://nvd.nist.gov/vuln/detail/CVE-2025-55182 ?
I do not think so, as server components are not used, but it would be great to discuss this here!

Answered by slorber

Dec 5, 2025

Agree are not affected by this React 19 vulnerability: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

The exploit requires sending a malicious request to a Server Function endpoint, to get remote code execution access.

In our case, we are a static site generator, and the "server" only exists at build time. Once built, you generally host the static files on a CDN, no Server Function endpoint is ever exposed, and there's no server runtime you could even execute malicious code on.

Yes, even if we did use any of those packages (which we plan to do), the "vulnerable server" would only have existed at build time, and the attacked would need to send …

View full answer

Josh-Cena · 2025-12-05T14:59:29Z

Josh-Cena
Dec 5, 2025
Collaborator

None of the vulnerable packages are ever installed by a Docusaurus site.

3 replies

slorber Dec 5, 2025
Collaborator

Agree are not affected by this React 19 vulnerability: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

The exploit requires sending a malicious request to a Server Function endpoint, to get remote code execution access.

In our case, we are a static site generator, and the "server" only exists at build time. Once built, you generally host the static files on a CDN, no Server Function endpoint is ever exposed, and there's no server runtime you could even execute malicious code on.

Yes, even if we did use any of those packages (which we plan to do), the "vulnerable server" would only have existed at build time, and the attacked would need to send a malicious payload at build time through your CI, meaning that your CI is likely alredy compromised.

Even if you self-host with docusaurus serve (which is not the best way to host your production site, and more a way to test it locally), that runtime server doesn't expose any Server Function endpoint.

If you are using React 19, we still think it's a good idea to upgrade to a patched version (ex: 19.2.1)
Even though Docusaurus is not affected, maybe we'll introduce build-time RSC support later (which I doubt would make us vulnerable, without 100% guarantee), or you are in a monorepo with other React apps. It's always safer and more future proof to be using a patched version.

I don't think it will ever make sense to add support for React Server Functions in Docusaurus (since it would become impossible to host it on popular static hosts like GitHub Pages), but we never know, it could become an opt-in extension 🤷‍♂️

Answer selected by pombredanne

pombredanne Dec 6, 2025
Author

@slorber You wrote:

host it on popular static hosts like GitHub Actions

did you mean Github pages maybe?

slorber Dec 7, 2025
Collaborator

yes 🤪 GitHub Pages

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Docusaurus uses React... what about CVE-2025-55182? #11602

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Docusaurus uses React... what about CVE-2025-55182? #11602

Uh oh!

pombredanne Dec 5, 2025

Replies: 1 comment · 3 replies

Uh oh!

Josh-Cena Dec 5, 2025 Collaborator

Uh oh!

Uh oh!

slorber Dec 5, 2025 Collaborator

Uh oh!

pombredanne Dec 6, 2025 Author

Uh oh!

slorber Dec 7, 2025 Collaborator

pombredanne
Dec 5, 2025

Replies: 1 comment 3 replies

Josh-Cena
Dec 5, 2025
Collaborator

slorber Dec 5, 2025
Collaborator

pombredanne Dec 6, 2025
Author

slorber Dec 7, 2025
Collaborator