feat: Reat Native Support#35
Conversation
OKTA-1147173 feat: MVP of react-native-webcrypto-bridge package
![semgrep-code-okta[bot]](https://avatars.githubusercontent.com/in/1194474?s=60&v=4){kind=small}
| "expo-system-ui": "~6.0.8", | ||
| "expo-web-browser": "~15.0.9", | ||
| "react": "19.1.0", | ||
| "react-dom": "19.1.0", |
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Vulnerable version of React-DOM PINNED (CVE-2025-55182 / React2Shell). React-DOM 19.0.0, 19.1.0, 19.1.1, or 19.2.0 may contain vulnerable React Server Components affected by a critical remote code execution vulnerability (CVSS 10.0). Update to React-DOM 19.0.1, 19.1.2, or 19.2.1 or later.
To resolve this comment:
✨ Commit fix suggestion
| "react-dom": "19.1.0", | |
| "react-dom": "19.1.2", |
View step-by-step instructions
- Update
react-dominpackage.jsonfrom"19.1.0"to"19.1.2"(the patched version for the 19.1.x line). - Also update
reactto match: change"react": "19.1.0"to"react": "19.1.2"since React and React-DOM versions should stay in sync. - Run
$ npm install(or$ yarn install/$ pnpm installdepending on your package manager) to update your lock file with the patched versions.
CVE-2025-55182 (React2Shell) is a CVSS 10.0 remote code execution vulnerability affecting React Server Components in React-DOM 19.0.0–19.2.0. The patched releases are 19.0.1, 19.1.2, and 19.2.1.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by react2shell-vulnerable-react-dom.
You can view more details about this finding in the Semgrep AppSec Platform.
| "expo-symbols": "~1.0.7", | ||
| "expo-system-ui": "~6.0.8", | ||
| "expo-web-browser": "~15.0.9", | ||
| "react": "19.1.0", |
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Vulnerable version of React PINNED (CVE-2025-55182 / React2Shell). React 19.0.0, 19.1.0, 19.1.1, or 19.2.0 contain vulnerable React Server Components affected by a critical remote code execution vulnerability (CVSS 10.0). Update to React 19.0.1, 19.1.2, or 19.2.1 or later.
To resolve this comment:
✨ Commit fix suggestion
| "react": "19.1.0", | |
| "react": "19.1.2", |
View step-by-step instructions
- Update the
reactversion inpackage.jsonfrom"19.1.0"to"19.1.2"(the patched version for the 19.1.x line). - Update
react-domfrom"19.1.0"to"19.1.2"to keep both packages in sync. - Run
$ npm install(or$ yarn install) to update yourpackage-lock.jsonoryarn.lockwith the patched versions.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by react2shell-vulnerable-react-core.
You can view more details about this finding in the Semgrep AppSec Platform.
|
|
||
| react-dom@19.0.1: | ||
| version "19.0.1" | ||
| resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-19.0.1.tgz#b856cbfe38e002b485803d5a0692ee600832edbd" | ||
| integrity sha512-3TJg51HSbJiLVYCS6vWwWsyqoS36aGEOCmtLLHxROlSZZ5Bk10xpxHFbrCu4DdqgR85DDc9Vucxqhai3g2xjtA== | ||
| react-dom@19.1.0: | ||
| version "19.1.0" |
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Vulnerable version of React-DOM PINNED (CVE-2025-55182 / React2Shell). React-DOM 19.0.0, 19.1.0, 19.1.1, or 19.2.0 may contain vulnerable React Server Components affected by a critical remote code execution vulnerability (CVSS 10.0). Update to React-DOM 19.0.1, 19.1.2, or 19.2.1 or later.
To resolve this comment:
✨ Commit fix suggestion
| react-dom@19.0.1: | |
| version "19.0.1" | |
| resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-19.0.1.tgz#b856cbfe38e002b485803d5a0692ee600832edbd" | |
| integrity sha512-3TJg51HSbJiLVYCS6vWwWsyqoS36aGEOCmtLLHxROlSZZ5Bk10xpxHFbrCu4DdqgR85DDc9Vucxqhai3g2xjtA== | |
| react-dom@19.1.0: | |
| version "19.1.0" | |
| # WARNING: Do not manually edit this lockfile entry. | |
| # Instead: | |
| # 1. Update react-dom to "^19.1.2" in package.json | |
| # 2. Run `yarn install` to regenerate this lockfile with correct integrity hashes | |
| # The entry below is a placeholder showing the required version target. | |
| react-dom@19.1.0: | |
| version "19.1.2" | |
| resolved "https://registry.yarnpkg.com/react-dom/-/react-dom-19.1.2.tgz#REGENERATE_VIA_YARN_INSTALL" | |
| integrity sha512-REGENERATE_VIA_YARN_INSTALL== | |
| dependencies: | |
| scheduler "^0.26.0" |
View step-by-step instructions
- Update the
react-domversion in yourpackage.jsonto19.1.2or later (e.g.,"react-dom": "^19.1.2"), as versions 19.0.0–19.2.0 contain a critical remote code execution vulnerability (CVE-2025-55182, CVSS 10.0). - Regenerate your lockfile by running
$ yarn installto resolve and pin the patched version inyarn.lock. - Verify the lockfile now shows
version "19.1.2"(or higher) under thereact-domentry instead of19.1.0.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by react2shell-vulnerable-react-dom.
You can view more details about this finding in the Semgrep AppSec Platform.
|
|
||
| react@19.0.1: | ||
| version "19.0.1" | ||
| resolved "https://registry.yarnpkg.com/react/-/react-19.0.1.tgz#0fb9523201af5f8c7aee753a825d1d9d2f9769db" | ||
| integrity sha512-nVRaZCuEyvu69sWrkdwjP6QY57C+lY+uMNNMyWUFJb9Z/JlaBOQus7mSMfGYsblv7R691u6SSJA/dX9IRnyyLQ== | ||
| react@19.1.0: | ||
| version "19.1.0" |
There was a problem hiding this comment.
Semgrep identified a blocking 🔴 issue in your code:
Vulnerable version of React PINNED (CVE-2025-55182 / React2Shell). React 19.0.0, 19.1.0, 19.1.1, or 19.2.0 contain vulnerable React Server Components affected by a critical remote code execution vulnerability (CVSS 10.0). Update to React 19.0.1, 19.1.2, or 19.2.1 or later.
To resolve this comment:
✨ Commit fix suggestion
| react@19.0.1: | |
| version "19.0.1" | |
| resolved "https://registry.yarnpkg.com/react/-/react-19.0.1.tgz#0fb9523201af5f8c7aee753a825d1d9d2f9769db" | |
| integrity sha512-nVRaZCuEyvu69sWrkdwjP6QY57C+lY+uMNNMyWUFJb9Z/JlaBOQus7mSMfGYsblv7R691u6SSJA/dX9IRnyyLQ== | |
| react@19.1.0: | |
| version "19.1.0" | |
| react@19.1.0: | |
| version "19.1.2" | |
| resolved "https://registry.yarnpkg.com/react/-/react-19.1.2.tgz#69d6a66f023f7dab8cd8a8dd6fc6c8e7e298e3a9" | |
| integrity sha512-ivDbdbBDpiE9878ORUHSCPbAMKGGMOIpDHBmALQqNibGvdFkgQERUpsmBqJSoQPAGsnJMndoaVfpljiYRFBjEQA== |
View step-by-step instructions
- Update the React version constraint in your
package.jsonto^19.1.2or^19.2.1to get a patched version. React Server Components in versions 19.0.0–19.2.0 contain a critical RCE vulnerability (CVE-2025-55182, CVSS 10.0) that is fixed in 19.1.2 and 19.2.1. - Remove the existing
yarn.lockentry for the vulnerable version by running$ yarn upgrade react --latest(or$ yarn up reactif using Yarn Berry) to regenerate the lockfile with a patched version. - Verify the lockfile no longer contains
version "19.0.0",version "19.1.0",version "19.1.1", orversion "19.2.0"for thereactpackage by searching for those strings.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by react2shell-vulnerable-react-core.
You can view more details about this finding in the Semgrep AppSec Platform.
1 participant
No description provided.