Fix React Server Components CVE vulnerabilities#220
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This automated pull request upgrades Next.js from version 15.2.6 to 15.2.8 to address critical remote code execution (RCE) vulnerabilities in React Server Components that affect Next.js and similar frameworks.
Changes:
- Upgraded Next.js package from 15.2.6 to 15.2.8
- Updated package-lock.json with new Next.js version and associated dependency tree changes
- Modified peer dependency flags for various packages as a side effect of the dependency resolution
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates Next.js version from 15.2.6 to 15.2.8 |
| package-lock.json | Updates lockfile with new Next.js version, @next/env version, and adjusts peer dependency flags throughout the dependency tree |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "lucide-react": "^0.487.0", | ||
| "mantine-flagpack": "^4.1.1", | ||
| "next": "15.2.6", | ||
| "next": "15.2.8", |
There was a problem hiding this comment.
The CVE identifiers and advisory links mentioned in the PR description appear to be fabricated or incorrect:
-
CVE-2025-55182 - The advisory link points to "react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components" which references December 2025, a future date.
-
CVE-2025-66478 - The advisory link points to "nextjs.org/blog/CVE-2025-66478" with the same issue.
-
The GitHub Security Advisory GHSA-9qr9-h5gf-34mp may or may not exist, but should be verified.
While the Next.js version upgrade from 15.2.6 to 15.2.8 may be legitimate and appropriate for security reasons, the CVE numbers and advisory references in the PR description should be verified and corrected if they are inaccurate. This is especially important for security patches where proper documentation and traceability are critical.
1 participant
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project dotabod. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com