Clarification on exposure to CVE-2025-55182

[stdweird]

Given there are lots of references to React (and i am clueless to interpret them properly), can you provide some statement wrt https://www.cve.org/CVERecord?id=CVE-2025-55182 and LibreChat

[stdweird]

@danny-avila apologies for the dramatic title, but not sure how else to report this.

[brenwhyte]

For any AWS users:

https://aws.amazon.com/security/security-bulletins/rss/aws-2025-030/

The default version (1.24) of the AWS WAF "AWSManagedRulesKnownBadInputsRuleSet" now includes the updated rule for this issue. As an interim protection measure, customers can deploy a custom AWS WAF rule to help detect and prevent exploitation attempts where applicable.

Cloudflare has similar

https://blog.cloudflare.com/waf-rules-react-vulnerability/

[danny-avila]

We don't use React 19 and its server components. Keep an eye out for the security tab for package vulnerabilities.

https://github.com/danny-avila/LibreChat/security

[stdweird]

thanks for clarifying!