Finding vulnerable code is only half the battle. When a critical CVE drops, engineering teams face a familiar nightmare: discovering affected repositories, coordinating fixes across teams, and ensuring nothing slips through the cracks. What if you could fix them all, automatically?
The CVE Remediation problem at scale
When CVE-2025-55182, a critical CVSS 10.0 vulnerability in React Server Components, was disclosed on November 29th, 2025, organizations scrambled to assess their exposure. The vulnerability affects any application using React Server Components with packages like react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack in versions 19.0 through 19.2.0.
Code search tools help you find affected repositories. But what happens next?
For most teams, the answer involves:
Creating tickets for each affected repository
Coordinating across multiple teams and timezones
Manually applying the same fix hundreds of times
Hoping no repositories get missed
Spending days or weeks on what should be hours of work
Ona Automations changes this equation entirely.
From discovery to remediation in minutes
Ona Automations are end-to-end workflows that execute changes across your entire codebase, in parallel. Instead of finding vulnerabilities and then spending weeks coordinating fixes, you can discover, remediate, test, and create pull requests across hundreds of repositories simultaneously.
Here's how it works for CVE-2025-55182:
Step 1: Create the Automation
Navigate to Automations in Ona and click New Automation. Give it a name like "CVE-2025-55182 Remediation" and select a service account to run it, this ensures all commits and PRs are clearly attributed to automation rather than individual engineers.
Step 2: Define your target scope
Use GitHub repository search to target all potentially affected repositories: org:your-org package.json react-server-dom
Or target specific projects that you know use React Server Components:
Select Projects as your target type
Choose your frontend applications, Next.js services, or any projects using RSC
Step 3: Configure the Remediation Steps
Ona Automations support three step types: prompts (natural language instructions for Ona Agent), shell scripts (deterministic commands), and pull request steps (automated PR creation).
For CVE-2025-55182, a multi-step workflow might look like:
Step 1 - Prompt: Analyze and upgrade dependencies
Analyze this repository for vulnerable React Server Components packages
(react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack)
in versions 19.0, 19.1.0, 19.1.1, or 19.2.0.
If found, upgrade to the latest patched version. Also check for and upgrade
any dependent frameworks:
- Next.js to 15.5.7+ or 16.0.7+
- React Router if using RSC features
Update package.json and run the package manager to update lock files.
Step 2 - Shell Script: verify the fix
npm install && npm test
Step 3 - Pull Request: submit for review
Title: [Security] Remediate CVE-2025-55182 - React Server Components RCE
Description: Automated security update to patch critical RCE vulnerability
in React Server Components. See: https://nvd.nist.gov/vuln/detail/CVE-2025-55182
Step 4: Set Guardrails
Before running at scale, configure guardrails to control execution:
Max concurrent executions: Start with 10 to validate the automation works correctly
Max total executions: Set to match your repository count (e.g., 100 for initial rollout)
For critical vulnerabilities, you might scale up to 50 concurrent executions across 500+ repositories after initial validation.
Step 5: Execute and Monitor
Click Run. Ona spins up isolated environments for each repository, running your automation steps in parallel. The Action Run Details page shows real-time progress:
Running: Currently executing
Pending: Queued and waiting
Completed: Successfully finished
Failed: Encountered errors (click to see logs)
Each action maintains full conversation logs showing exactly what Ona Agent did, what commands ran, and any errors encountered.
Why this matters:
A customer recently shared their experience with CVE remediation using Ona Automations:
"90–95% of work is done by Ona Automations. We just have to do the final push commands."
The math speaks for itself:
| Approach | 100 Repositories | 500 Repositories |
|---|---|---|
| Manual remediation | 2-3 weeks | 6-8 weeks |
| Ona Automations | 2-3 hours | 4-6 hours |
That's not just time saved, it's reduced vulnerability exposure time. Every hour a CVE remains unpatched is an hour of risk.
Scheduled Scanning: prevention over reaction
Beyond one-time remediation, Ona Automations support time-based triggers for ongoing security hygiene:
Schedule: Weekly, Monday at 2:00 AM
Target: All repositories
Steps:
1. Scan for known CVEs in dependencies
2. Upgrade vulnerable packages
3. Run tests to verify compatibility
4. Create PRs for any changes
This transforms CVE response from reactive firefighting to proactive maintenance. Your repositories stay patched automatically, with pull requests ready for review each Monday morning.
Security built in
Ona Automations include enterprise-grade guardrails:
Environment isolation: Each automation runs in a dedicated, isolated environment
Command deny lists: Prevent execution of dangerous commands like
sudoorrm -rf /Audit trails: Complete logging of every command, file modification, and PR creation
Service account separation: Clear distinction between automation activity and human work
Concurrency limits: Prevent runaway executions and control resource usage
Getting started
Ready to transform how you handle CVE remediation?
Create a service account in Settings → Members → Service Accounts
Configure Git authentication with appropriate repository access
Create your first automation targeting a small set of repositories
Validate the results by reviewing generated PRs
Scale up by increasing guardrail limits
For CVE-2025-55182 specifically, start by targeting repositories matching package.json react-server-dom in your organization. Run on 5-10 repositories first to validate the automation behaves correctly, then scale to your full repository base.
Beyond CVEs: What else can you automate?
The same patterns that work for CVE remediation apply to:
Dependency updates: Weekly automated upgrades with compatibility testing
Code migrations: API changes, framework upgrades, or deprecation handling
Documentation updates: Keep READMEs, Backstage YAML, and API docs current
Compliance enforcement: License checks, security policy updates, configuration standardization
Pull request reviews: Automated security analysis on every code change using PR triggers
*Ona Automations is available for Enterprise customers. *Request a demo to see how automations can transform your organization's approach to large-scale code changes.
Have questions about setting up CVE remediation automations? Reach out to your account manager or explore our Automations documentation.
Found this useful? I write about AI infrastructure, security, and the engineering challenges of building production AI systems. Connect with me on LinkedIn or Twitter/X.
Top comments (2)
this is slick. how does it differ from building this as a bash script w/ the claude code cli?
Fair point! Bash + Claude code works for less no. of repos. Ona Automations handles the unglamorous parts at scale:
Basically: at 100+ repos, you'd be rebuilding Ona w/ worse observability & no guardrails.