Fix React Server Components RCE vulnerability #32
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## React Flight / Next.js RCE Advisory - Security Update Report ### Summary The Takumi repository has been updated to address the React Flight / Next.js RCE advisory CVE. The project was using vulnerable versions of Next.js and React, which have now been patched to secure versions. ### Vulnerability Details The following vulnerable package versions were identified and upgraded: 1. **Next.js 15.5.3 → 15.5.7** ✅ PATCHED - Advisory requirement for 15.5.x: 15.5.7 - Status: Updated to patched version 2. **React 19.1.0 → 19.1.2** ✅ PATCHED - React 19.1.0 is a vulnerable version per the advisory - Vulnerable versions list: 19.0.0, 19.1.0, 19.1.1, 19.2.0 - Status: Updated to safe version 19.1.2 3. **React-DOM 19.1.0 → 19.1.2** ✅ PATCHED - React-DOM 19.1.0 is a vulnerable version per the advisory - Status: Updated to match React version 19.1.2 ### Project Analysis **Project Type**: Next.js 15.5 Application - Framework: Next.js 15.5 - React Server Components: Not using React Flight packages - Configuration: Single package.json (no monorepo) **Packages Checked:** - ✅ Next.js: 15.5.3 → 15.5.7 (vulnerable → patched) - ✅ React: 19.1.0 → 19.1.2 (vulnerable → safe) - ✅ React-DOM: 19.1.0 → 19.1.2 (vulnerable → safe) - ✅ React Flight packages: Not in use (no action needed) ### Changes Made #### Modified Files: 1. **package.json** - Updated `next` from `15.5.3` to `15.5.7` - Updated `react` from `19.1.0` to `19.1.2` - Updated `react-dom` from `19.1.0` to `19.1.2` 2. **package-lock.json** - Regenerated to reflect all package version updates - All Next.js 15.5.7 components (@next/env, @next/swc-*) updated - React and React-DOM dependencies updated to 19.1.2 - All transitive dependencies resolved correctly #### Implementation Rationale: - **Next.js upgrade to 15.5.7**: This is the patched version specified by the advisory for the 15.5.x minor version - **React/React-DOM upgrade to 19.1.2**: Version 19.1.0 was vulnerable per the advisory requirements; upgraded to 19.1.2 which is a safe version - **No React Flight packages**: Project does not use react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack, so no additional React Flight upgrades needed - **Lockfile updated**: package-lock.json regenerated to ensure all dependencies resolve to patched versions ### Verification ✅ **Build Status**: Build completes successfully with patched versions ✅ **Dependency Resolution**: All packages resolve correctly in lockfile ✅ **No React Flight Risk**: Project is not using vulnerable React Flight packages ✅ **Patch Verification**: All patched versions match advisory requirements ### Security Compliance After these updates, the Takumi project is **fully compliant** with the React Flight / Next.js RCE advisory: - ✅ Next.js upgraded to patched version for detected minor (15.5.7) - ✅ React versions updated to safe versions (no longer using 19.1.0) - ✅ React-DOM versions updated to match React safely - ✅ No vulnerable React Flight packages in use - ✅ Lockfile updated with all patched versions ### Repository Details - **Repository**: Takumi (Vasanthrs-dev/Takumi) - **Branch**: main - **Update Date**: December 8, 2025 - **Framework**: Next.js 15.5 ### Notes - The build process shows warnings related to OpenTelemetry/inngest configuration, but these are pre-existing issues unrelated to the React Flight advisory - No application logic was modified; only dependency versions were updated - All changes are focused on security and have no functional impact on the application Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Author
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project takumi. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
React Advisory: CVE-2025-55182
Next.js Advisory: CVE-2025-66478
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com