Background

CVE-2025-55182 has recently been published with a Critical severity CVSS version 3.1 score. According to NIST NVD, a pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Chemaxon actions taken

Chemaxon has performed an analysis on the possible impact of CVE-2025-55182 on Chemaxon applications. Hereby we confirm, that Chemaxon applications do not utilise vulnerable versions neither of React Server Components nor NextJS. We keep monitoring the applicable advisory concerning this vulnerability.

Other considerations

While Chemaxon Products are not impacted by CVE-2025-55182, we still recommend our Customers to follow the applicable advisories for React Server Components and NextJS and upgrade to fixed versions accordingly.

Additionally, Amazon Web Services (AWS) also issued threat intelligence bulletin providing useful information on applicable service side mitigations.