Actonic Products official statement about the recently disclosed critical security vulnerability in React Server Components (CVE-2025-55182, CVSS 10.0).

TLDR: Our applications are not affected by CVE-2025-55182

We have reviewed the official React advisory and analyzed our products:

• The vulnerability affects React Server Components and related server-side packages (react-server-dom-*) in certain React 19.x versions and frameworks that use them (e.g. Next.js App Router, experimental React Router RSC APIs).
• Our apps do not use React Server Components, React Server Functions, or server-side rendering.

Because of this, our applications are not affected by CVE-2025-55182. The vulnerable code paths simply do not exist in our architecture.

We continuously monitor upstream security advisories (including React and Atlassian Forge) and will apply patches where relevant, but at this time no customer action is required and there is no increased risk from this vulnerability.

Best regards,

Actonic Team