Fix React Server Components CVE vulnerabilities

[vercel]

User description

Important

This is an automatic PR generated by Vercel to help you patch known vulnerabilities related to CVE-2025-55182 (React2Shell), CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. We can't guarantee the PR is comprehensive, and it may contain mistakes.

Not all projects are affected by all issues, but patched versions are required to ensure full remediation.

Vercel has deployed WAF mitigations globally to help protect your application, but upgrading remains required for complete protection.

This automated pull request updates your React, Next.js, and related Server Components packages to versions that fix all currently known React Server Components vulnerabilities, including the two newly discovered issues.

See our Security Bulletins for more information and reach out to security@vercel.com with any questions.

---

PR Type

Bug fix

---

Description

• Update Next.js from 15.3.6 to 15.3.8 to patch CVE vulnerabilities

• Addresses React Server Components security issues including CVE-2025-55182, CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779

• Fix newline at end of package.json file

---

Diagram Walkthrough

flowchart LR
  A["package.json"] -- "Update next 15.3.6 to 15.3.8" --> B["Patched CVE Vulnerabilities"]
  A -- "Fix file ending newline" --> B

Loading

File Walkthrough

	Relevant files
Dependencies	package.json Update Next.js version for security patches                            package.json Updated next dependency from 15.3.6 to 15.3.8 to fix React Server Components CVE vulnerabilities Added missing newline at end of file for proper formatting +2/-2

---

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
qcx	Ready	Preview, Comment	Feb 4, 2026 5:56pm

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[qodo-code-review]

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

PR Code Suggestions ✨

No code suggestions found for the PR.

[charliecreates]

This security PR appears incomplete versus its own stated remediation scope: the diff only bumps next while claiming to patch react-server-dom-* packages as well. Ensure the lockfile is updated and committed (or that your deploys use a deterministic install) so the patched transitive versions are actually resolved; otherwise the CVE fix may not be effective.

Additional notes (1)

• Security | package.json:73-79
  Pinning next to an exact patch version (15.3.8) is consistent with security patching, but this change is incomplete relative to the PR’s stated goal (RSC CVE remediation). The PR description claims updates to react-server-dom-* packages as well; however, this diff shows only next being updated. If your app uses/depends on RSC packages indirectly, relying solely on a next bump may leave vulnerable transitive versions in the lockfile.

At minimum, verify the lockfile actually resolves to the patched react-server-dom-webpack/react-server-dom-turbopack versions expected for this advisory (and that CI installs them). If you don’t commit a lockfile in this repo, ensure your deployment pipeline performs a deterministic install that picks up the patched transitive deps.

This is a security PR: missing lockfile updates (or missing explicit dependency bumps when needed) is a common way for these automated PRs to provide a false sense of remediation.

Summary of changes

Summary

• Bumped next from 15.3.6 to 15.3.8 in package.json to address React Server Components CVE-related vulnerabilities per Vercel’s automated security PR.
• No other dependency versions were changed in the provided diff.
• Minor file-ending change (newline/EOF adjustment) with no functional impact.