Possible false positive: React Server Components vulnerability #16525
Description
Possible false positive: React Server Components vulnerability
Hi team,
I’m opening this issue as a heads-up / clarification request, not as a confirmed vulnerability report.
I ran react2shell-guard locally against the current main branch and it reports multiple deps as as potentially affected.
I also ran the same scanner against my own deployed Twenty instance, where no vulnerability was reported.
So at this point I’m unsure whether:
- this is a false positive, or
- the local setup still references a version mentioned in a recent upstream advisory, or
- the project is already effectively mitigated in another way.
Relevant upstream advisory:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
I could not find an existing issue about this, so I wanted to ask openly:
Is this a known false positive, or should the dependency version be updated?
I have not attempted to exploit anything and did not find an actual vulnerability in a running Twenty instance.
Here is the full scanner output or details about the commands I used if that helps.
command:
npx react2shell-guard@latest
output:
react2shell-guard - CVE-2025-55182 Scanner
──────────────────────────────────────────────────
Scanned 14 project(s)
✗ twenty [VULNERABLE]
Path: home/twenty
Framework: react-client-only
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-front [VULNERABLE]
Path: home/twenty/packages/twenty-front
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-server [VULNERABLE]
Path: home/twenty/packages/twenty-server
Framework: react-client-only
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-emails [VULNERABLE]
Path: home/twenty/packages/twenty-emails
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-ui [VULNERABLE]
Path: home/twenty/packages/twenty-ui
Framework: react-client-only
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-utils [VULNERABLE]
Path: home/twenty/packages/twenty-utils
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-zapier [VULNERABLE]
Path: home/twenty/packages/twenty-zapier
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-website [VULNERABLE]
Path: home/twenty/packages/twenty-website
Framework: nextjs v15.2.4
App Router: Yes (RSC enabled)
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-docs [VULNERABLE]
Path: home/twenty/packages/twenty-docs
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-e2e-testing [VULNERABLE]
Path: home/twenty/packages/twenty-e2e-testing
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-shared [VULNERABLE]
Path: home/twenty/packages/twenty-shared
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-sdk [VULNERABLE]
Path: home/twenty/packages/twenty-sdk
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ twenty-cli [VULNERABLE]
Path: home/twenty/packages/twenty-cli
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
✗ create-twenty-app [VULNERABLE]
Path: home/twenty/packages/create-twenty-app
Framework: unknown
Vulnerabilities found:
- next @ 15.2.4
Upgrade to: 15.2.6
Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
──────────────────────────────────────────────────
VULNERABLE - Action required!
Upgrade affected packages to patched versions immediately.