Hi JMIX Team,
I would like to quick check if JMIX is vulnerable to CVE-2025-55182 ?
I not sure if JMIX is using Hilla somewhere; Hilla is using React. Inside Vaadin Document, it doesn’t mention what React version they are using.
Regards,
CK
Hi,
Jmix doesn’t use Hilla, but Vaadin Flow uses React. The mentioned vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. Packages and versions used in Vaadin Flow are:
"react": "18.3.1",
"react-dom": "18.3.1",
"react-router": "7.6.3"
As you can see, neither affected packaged not affected versions are used in Jmix applications.
Regards,
Gleb
2 Likes