SAS Statement Regarding React and Next.js Vulnerability
(CVE-2025-55182) 

Reference Name: React and Next.js Vulnerability (CVE-2025-55182) 
Severity: Critical

History

• 12-17-2025 – Updated statement
• 12-04-2025 – Initial statement

Summary

SAS is aware of CVE-2025-55182 and has investigated the impact of this vulnerability on SAS® products.

SAS Cloud Solutions

SAS Cloud and Information Services are aware of CVE-2025-55182 and are actively working to ensure that protection capabilities are up to date.

Impact

SAS has evaluated that SAS® Viya® platform, SAS Viya 3.x, SAS® 9.2, SAS® 9.3, and SAS® 9.4 are not affected, because they do not use a vulnerable version of the React or Next.js components.

SAS has evaluated that SAS® Customer Intelligence 360 is not affected because it does not use a vulnerable version of the React or Next.js components.

As always, SAS recommends that you keep your SAS deployments up to date. The current version of the SAS® 9 platform is SAS® 9.4M9. Instructions for upgrading are available.

Guidance, Activities, and Plans

At this time, no customer action in response to CVE-2025-55182 is recommended. This bulletin will be updated if any impact updates are available.

Updates to this Bulletin

When SAS has additional news or guidance for this vulnerability and its impact on SAS software and services, we will update this official security bulletin.

The latest SAS Product Security bulletins are available at https://support.sas.com/security-bulletins.html and by RSS feed.