Skip to content

Fix React Server Components CVE vulnerabilities#196

Merged
petrubraha merged 2 commits intomasterfrom
vercel/react-server-components-cve-vu-9zafdy
Feb 23, 2026
Merged

Fix React Server Components CVE vulnerabilities#196
petrubraha merged 2 commits intomasterfrom
vercel/react-server-components-cve-vu-9zafdy

Conversation

@vercel
Copy link
Contributor

@vercel vercel bot commented Feb 23, 2026

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project gifthub. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

@vercel
Fix React Server Components CVE vulnerabilities
665fa07 
Updated dependencies to fix Next.js and React CVE vulnerabilities.

The fix-react2shell-next tool automatically updated the following packages to their secure versions:
- next
- react-server-dom-webpack
- react-server-dom-parcel  
- react-server-dom-turbopack

All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory.

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@vercel
Copy link
Contributor Author

vercel bot commented Feb 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
gifthub Ready Ready Preview, Comment Feb 23, 2026 3:23pm

@petrubraha petrubraha self-requested a review February 23, 2026 15:22
@petrubraha petrubraha self-assigned this Feb 23, 2026
@petrubraha petrubraha requested a review from lefcos February 23, 2026 15:22
@lefcos lefcos marked this pull request as ready for review February 23, 2026 15:23
petrubraha
petrubraha reviewed Feb 23, 2026
View reviewed changes
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 23, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@petrubraha petrubraha merged commit e919f98 into master Feb 23, 2026
4 of 7 checks passed
@petrubraha petrubraha deleted the vercel/react-server-components-cve-vu-9zafdy branch February 23, 2026 19:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@petrubraha petrubraha petrubraha left review comments

@sky11fca sky11fca sky11fca approved these changes

@lefcos lefcos Awaiting requested review from lefcos

@MeraruIoanLucian MeraruIoanLucian Awaiting requested review from MeraruIoanLucian

@JustAnotherAndrei JustAnotherAndrei Awaiting requested review from JustAnotherAndrei

@e3getmehired e3getmehired Awaiting requested review from e3getmehired

Assignees

@petrubraha petrubraha

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sky11fca @petrubraha