OSG-SEC-2026-02-17 CRITICAL Rucio WebUI - React/Next.js Dependency Vulnerability (CVE-2025-55182)

Dear OSG Security Contacts,

A critical vulnerability was reported affecting the Rucio WebUI 38.2.0 and 38.2.1 container images due to the downstream dependencies on React and Next.js impacted CVE-2025-55182 (commonly referred to as "React2Shell").

IMPACTED VERSIONS:

Rucio WebUI 38.2.0 and 38.2.1

WHAT ARE THE VULNERABILITIES:

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

WHAT YOU SHOULD DO:

Upgrade Rucio WebUI to version 38.3.0 and later

REFERENCES:

[1] https://github.com/rucio/containers/releases/tag/webui-38.3.0
[2] https://www.cve.org/CVERecord?id=CVE-2025-55182
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-55182
[4] https://advisories.egi.eu/
[5] https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
[6] https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
[7] https://nextjs.org/blog/CVE-2025-66478

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team