Why Calenso is not affected and what has been technically verified
In recent days, both the German Federal Office for Information Security (BSI) and the React team have issued critical security warnings about React Server Components. The vulnerability, listed under CVE-2025-55182 and rated with a CVSS score of 10.0, has understandably caused uncertainty among many companies.
We at Calenso took this report very seriously and immediately launched a comprehensive technical analysis to rule out any possible direct or indirect contact with the affected components. The result is clear: Calenso is not affected by this security vulnerability.
The reason lies both in the technology we use and in our system architecture. Below, we explain transparently why the vulnerability is not relevant to Calenso and what specific tests our engineering team has carried out.
That is why the React security vulnerability is not relevant for Calenso.
1. No use of React Server Components
The reported vulnerability only affects setups that use React Server Components (RSC). Calenso does not use React or Server Components in any part of its platform.
Our technology stack:
Frontend: Angular (versions 17–20; no React in the build or rendering process)
Backend: CakePHP-based API backend plus additional microservices
Deployment: Separate build pipelines for frontend and backend, without node-based server rendering of UI components
This eliminates the entire attack class that is relevant for React-RSC.
2. No affected bundles or rendering paths
The points of attack described in the warning refer in particular to:
manipulable RSC payloads
Incorrect serialization in React server runtime environments
Vulnerable bundles that deliver server-side component logic
Dangerous combinations of SSR (server-side rendering) and RSC hydration
Calenso does not use any of these mechanisms. Our Angular application is compiled entirely on the client side and delivered statically. There is no server-side component interpretation, no RSC hydration, and no payload-based server render pipelines.
3. Checking all build artifacts and dependencies
Although Calenso does not use React technologies, we also conducted an in-depth technical analysis:
The following components were checked:
Node dependencies of our frontend builds
Build artifacts of the CI/CD pipelines
Package dependencies of the backend services
Container images and their libraries
Indirect dependencies via third-party npm packages
Possible integration of React libraries in submodules or admin tools
Result: There is no direct or indirect dependency on React Server Components or the affected runtime libraries.
4. Not critical due to architecture
In this case, Calenso architecture provides additional structural protection:
Angular renders exclusively in the browser.
There is no server-side component interpreter.
API calls are clearly isolated and are not mixed with UI rendering.
Serialized payloads from the front end are never evaluated dynamically.
This means that the attack vectors described in the security advisories cannot occur due to the architecture.
5. Ongoing security monitoring
Even though Calenso is not affected, security remains a central part of our platform strategy:
Continuous monitoring of CVEs & advisories
Regular dependency audits
Automated security scans in CI/CD
Manual code reviews in the security team
Additional testing by our Myra WAF and infrastructure monitoring
We proactively keep our customers informed at all times when relevant security risks could arise.
Official sources
For anyone who would like more information about the vulnerability, we recommend reading the original reports:
