Fix React Server Components RCE vulnerability #2
Conversation
Updated dependencies to fix Next.js CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR addresses a critical security vulnerability (CVE-2025-55182) affecting React Server Components that enables remote code execution through insecure deserialization. The automated fix updates Next.js from version ^16.0.0 to 16.0.7, which includes the security patch for the vulnerability.
Key Changes:
- Next.js upgraded from ^16.0.0 to 16.0.7 (pinned version)
- All Next.js SWC platform-specific binaries updated to 16.0.7
- Package lock file updated with new integrity hashes and dependency resolutions
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| frontend/package.json | Updates Next.js dependency from caret range (^16.0.0) to exact pinned version (16.0.7) for security patch |
| frontend/package-lock.json | Updates all Next.js packages and dependencies to version 16.0.7, including platform-specific SWC binaries, with corresponding integrity hashes and removes some "peer": true flags |
Files not reviewed (1)
- frontend/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "clsx": "^2.1.1", | ||
| "next": "^16.0.0", | ||
| "next": "16.0.7", |
There was a problem hiding this comment.
The Next.js version is pinned to an exact version (16.0.7) while other dependencies use caret ranges. For consistency with the rest of the package.json and to allow automatic patch updates for future security fixes, consider using "^16.0.7" instead of "16.0.7".
| "next": "16.0.7", | |
| "next": "^16.0.7", |
| "react": "^19.0.0", | ||
| "react-dom": "^19.0.0" |
There was a problem hiding this comment.
According to the PR description, this vulnerability affects React Server Components in both React and Next.js (CVE-2025-55182). While Next.js is updated to 16.0.7, the React and react-dom packages remain at ^19.0.0 (resolving to 19.2.0). Please verify with the security advisories whether the current React version 19.2.0 is patched for this vulnerability or if React packages also need to be updated to specific versions.
| "react": "^19.0.0", | |
| "react-dom": "^19.0.0" | |
| "react": "^19.2.1", | |
| "react-dom": "^19.2.1" |
1 participant
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project api-mockly. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com