🔒 Security Fix: Update React to 19.2.1 to address CVE-2025-55182

[aushaSanity]

🚨 Security Advisory

This PR addresses CVE-2025-55182, a critical remote code execution vulnerability in React Server Components.

📋 Summary

Updates React dependencies to patched version 19.2.1 that fixes a critical RCE vulnerability affecting React 19.

🔧 Changes

Dependency Updates

Package	Previous Version	New Version
React	19.2.0	19.2.1 ✅
React DOM	19.2.0	19.2.1 ✅
React Is	19.2.0	19.2.1 ✅

Files Modified

• pnpm-workspace.yaml - Updated catalog versions
• pnpm-lock.yaml - Updated lockfile with new versions

🔐 Vulnerability Details

• CVE ID: CVE-2025-55182
• Severity: 🔴 Critical
• Affected Versions: React 19.0, 19.1.0, 19.1.1, 19.2.0
• Description: Under certain conditions, specially crafted requests could lead to unintended remote code execution in applications using React Server Components.
• Reference: https://vercel.com/changelog/cve-2025-55182

✅ Testing

• Dependencies installed successfully with pnpm install
• No breaking changes expected (patch version bump)
• Lockfile updated and committed

📚 Additional Context

What was the issue?

The vulnerability existed in React Server Components (RSC) where malicious requests could potentially execute arbitrary code on the server.

Why this matters for visual-editing

This repository provides visual editing tools that may use React Server Components in integrated applications. Keeping React updated is essential for security.

Platform Protections

Note: Projects hosted on Vercel already have platform-level protections that block malicious request patterns. However, upgrading is still strongly recommended regardless of hosting provider.

🚀 Deployment Notes

This is a patch version update with no breaking changes. Safe for immediate deployment.

Recommended Actions

1. ✅ Merge this PR
2. ✅ Publish updated packages
3. ✅ Deploy to all environments
4. ✅ Verify visual editing functionality
5. ✅ Run security audits to confirm no remaining vulnerabilities

📖 Related

• Part of organization-wide security update for CVE-2025-55182
• Coordinated with updates across all Sanity repositories using React 19
• Related PRs:
  • sanity-io/sanity: #11386
  • sanity-io/next-sanity: chore(deps): update dependency @types/lodash to ^4.17.18 (main) #3044

👥 Review Checklist

• Security implications reviewed
• No breaking changes introduced
• Tests passing
• Ready to deploy

---

Priority: 🔴 CRITICAL - Merge and deploy ASAP.

cc: @sanity-io/engineering

[changeset-bot]

⚠️ No Changeset found

Latest commit: 404ca94

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
live-visual-editing-next	Ready	Preview	Comment	Dec 3, 2025 7:25pm
visual-editing-astro	Ready	Preview	Comment	Dec 3, 2025 7:25pm
visual-editing-next	Ready	Preview	Comment	Dec 3, 2025 7:25pm
visual-editing-next-with-i18n	Error			Dec 3, 2025 7:25pm
visual-editing-nuxt	Ready	Preview	Comment	Dec 3, 2025 7:25pm
visual-editing-page-builder-demo	Ready	Preview	Comment	Dec 3, 2025 7:25pm
visual-editing-remix	Ready	Preview	Comment	Dec 3, 2025 7:25pm
visual-editing-storybook	Ready	Preview	Comment	Dec 3, 2025 7:25pm
visual-editing-studio	Ready	Preview	Comment	Dec 3, 2025 7:25pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
visual-editing-svelte	Ignored			Dec 3, 2025 7:25pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	react@​19.2.0 ⏵ 19.2.1				+1
	react-dom@​19.2.0 ⏵ 19.2.1				+1
	react-is@​19.2.1

View full report