Fix React Server Components RCE vulnerability#210
Conversation
Updated dependencies to fix Next.js CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "@next/swc-linux-x64-musl": "15.2.5", | ||
| "@next/swc-win32-arm64-msvc": "15.2.5", | ||
| "@next/swc-win32-x64-msvc": "15.2.5", | ||
| "sharp": "^0.33.5" |
There was a problem hiding this comment.
Bug: Version mismatch between Next.js and SWC packages
The package-lock.json shows next version 15.2.6 with @next/env at 15.2.6, but all @next/swc-* optional dependencies are locked to version 15.2.5. This version mismatch between the main next package and its SWC compiler binaries could cause build or runtime issues, as these packages are typically expected to be version-aligned. The lock file may have been incorrectly generated or modified.
Additional Locations (1)
| @@ -1,5 +1,5 @@ | |||
| { | |||
| "name": "mostlyai-docs", | |||
| "name": "primary", | |||
There was a problem hiding this comment.
Bug: Project name accidentally changed in lock file
The package-lock.json has the project name changed from "mostlyai-docs" to "primary". This change is unrelated to the stated security fix purpose and appears to be an accidental modification that could cause confusion or issues if the project name has any significance in the build or deployment process.
| "integrity": "sha512-eNKB1q8C7o9zXF8+jgJs2CzSLIU3T6bQtX6DcTnCq1sIR1CJ0GlSyRs1BubQi3/JgCnr9Vr+rS5mOMI38FFyQw==", | ||
| "version": "15.2.6", | ||
| "resolved": "https://registry.npmjs.org/next/-/next-15.2.6.tgz", | ||
| "integrity": "sha512-DIKFctUpZoCq5ok2ztVU+PqhWsbiqM9xNP7rHL2cAp29NQcmDp7Y6JnBBhHRbFt4bCsCZigj6uh+/Gwh2158Wg==", |
There was a problem hiding this comment.
Bug: Security fix downgrades Next.js instead of upgrading
The package-lock.json shows next being downgraded from 15.4.1 to 15.2.6, which contradicts the PR description stating it "upgrades the affected React and Next.js packages to patched versions." Security fixes typically upgrade to newer patched versions rather than downgrade. This version rollback could fail to address the stated RCE vulnerability (CVE-2025-66478) if the fix was released in a version between 15.2.6 and 15.4.1, or could reintroduce other vulnerabilities fixed in those intervening versions. The automated PR may have incorrectly resolved the target version.
1 participant
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project mostlyai-docs. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
React Advisory: CVE-2025-55182
Next.js Advisory: CVE-2025-66478
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com
Note
Pins Next.js to 15.2.6 and updates the lockfile (SWC binaries, adds busboy/@swc/counter) while aligning sharp and libvips to 0.33.5-series.
nextto15.2.6inpackage.json.@next/swc-*to15.2.5, add@swc/counter, addbusboy(andstreamsearch), adjust@playwright/testpeer range.sharpto0.33.5and update related@img/sharp-*and@img/sharp-libvips-*packages accordingly.Written by Cursor Bugbot for commit daa9aeb. This will update automatically on new commits. Configure here.