Fix React Server Components RCE vulnerability #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## React Flight / Next.js RCE Advisory Fix ### Summary Successfully addressed the React Flight / Next.js RCE vulnerability (CVE-2024-56756) for this project. ### Analysis The project was affected by the vulnerability as it: - Uses Next.js with version 15.3.4 (vulnerable) - Does not directly depend on React Flight packages (react-server-dom-*), as these are bundled within Next.js ### Changes Made #### Modified Files 1. **package.json** - Updated `next` from `"latest"` to `"15.3.6"` (patched version for 15.3.x) - React and react-dom versions remain unchanged at `^19.0.0` as per advisory (Next.js provides patched versions) 2. **package-lock.json** - Updated via `npm install` to reflect Next.js 15.3.6 and all transitive dependencies - Verified that the lockfile resolves to the exact patched version `15.3.6` ### Verification - ✓ Dependencies installed successfully with `npm install` - ✓ Next.js version confirmed as 15.3.6 via `npm list next` - ✓ Project builds successfully with `npm run build` - ✓ No application logic was modified; only dependencies were patched ### Why These Changes According to the React Flight / Next.js RCE advisory fix requirements: - Next.js 15.3.x projects should be upgraded to 15.3.6 (the patched version for that minor) - React and react-dom do not need manual updates for Next.js projects, as Next.js supplies the correct patched versions - React Flight packages (react-server-dom-*) are not direct dependencies in this project; they are bundled within Next.js ### Project Status - Framework: Next.js with Turbopack (dev mode uses --turbopack flag) - Build: ✓ Compiles successfully after patching - No other dependencies or configurations were affected Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Author
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project hita. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
React Advisory: CVE-2025-55182
Next.js Advisory: CVE-2025-66478
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com