Fix React Server Components CVE vulnerabilities#181
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This automated security PR from Vercel upgrades Next.js from version 15.2.3 to 15.2.8 to address critical remote code execution (RCE) vulnerabilities in React Server Components (CVE-2025-55182 and CVE-2025-66478). The vulnerabilities enable unauthenticated RCE via insecure deserialization in the React Flight protocol.
Changes:
- Upgrades Next.js from ^15.2.3 to pinned version 15.2.8 in the eurekapad app
- Updates all related Next.js dependencies in pnpm-lock.yaml including @next/env, swc binaries, and packages that depend on Next.js
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| apps/eurekapad/package.json | Changes Next.js version specifier from flexible range (^15.2.3) to pinned exact version (15.2.8) for security patching |
| pnpm-lock.yaml | Updates Next.js core package, @next/env, swc binaries (to 15.2.5), and all dependent packages (@clerk/nextjs, @sentry/nextjs, @vercel/analytics, @vercel/speed-insights) to use the patched Next.js version; also includes metadata updates for some existing deprecated packages |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
Comments suppressed due to low confidence (1)
apps/eurekapad/package.json:84
- PR description says it upgrades both React and Next.js to patched versions for the RSC CVE, but this change only bumps
nextwhilereact/react-domremain at19.0.0. If React also needs a patched version for this advisory, the dependency updates are incomplete; otherwise the PR description should be adjusted to reflect what was actually changed.
"next": "^15.2.8",
"next-themes": "^0.4.4",
"posthog-js": "^1.231.0",
"react": "19.0.0",
"react-dom": "19.0.0",
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| next: | ||
| specifier: ^15.2.3 | ||
| version: 15.2.3(@babel/core@7.25.2)(@opentelemetry/api@1.9.0)(babel-plugin-react-compiler@19.0.0-beta-55955c9-20241229)(react-dom@19.0.0(react@19.0.0))(react@19.0.0) | ||
| specifier: ^15.2.8 |
There was a problem hiding this comment.
In importers.apps/eurekapad, the lockfile records next as specifier: 15.2.8, but apps/eurekapad/package.json specifies "next": "^15.2.8". This mismatch will cause pnpm install to rewrite the lockfile (and can break reproducibility checks if enabled). Regenerate the lockfile (or align the version range in package.json / the lockfile specifier so they match).
| specifier: ^15.2.8 | |
| specifier: ^15.2.8 |
|
Pro |
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project eurekapad. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com