Skip to content

Fix React Server Components RCE vulnerability#1

Draft
vercel[bot] wants to merge 1 commit into
masterfrom
vercel/repository-for-react-flight-rc-xk10oo
Draft

Fix React Server Components RCE vulnerability#1
vercel[bot] wants to merge 1 commit into
masterfrom
vercel/repository-for-react-flight-rc-xk10oo

Conversation

@vercel

@vercel vercel Bot commented Dec 7, 2025

Copy link
Copy Markdown

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project akshit. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

# React Flight / Next.js RCE Advisory - Fix Implementation Report

## Project Analysis

This Next.js portfolio project was assessed for vulnerability to the React Flight / Next.js RCE advisory (CVE-2025-55182, CVE-2025-66478).

### Vulnerability Detection Results

**Affected Packages Search:**
- ✓ Project uses Next.js (original version: 15.1.2 → patched to: 15.1.9)
- ✗ Project does NOT use `react-server-dom-webpack`
- ✗ Project does NOT use `react-server-dom-parcel`
- ✗ Project does NOT use `react-server-dom-turbopack`

### Vulnerability Assessment

The project WAS vulnerable to the React Flight RCE advisory:
- **Next.js 15.1.2**: Vulnerable (affected by CVE-2025-66478)
- **React 19.0.0**: Mentioned in advisory but handled by Next.js dependency management

### Changes Made

#### Files Modified:
1. **package.json**
   - Updated `next` from `15.1.2` to `15.1.9` (patched version for 15.1.x)

2. **package-lock.json**
   - Automatically updated to reflect Next.js 15.1.9 and its dependencies
   - Updated @next/* modules to version 15.1.9

#### Implementation Details

Following the advisory's upgrade rules:
- Next.js 15.1.x → upgraded to 15.1.9 ✓
- No manual React/React-DOM upgrades (Next.js manages these automatically) ✓
- No React Flight packages in the project ✓

### Build Verification

✓ **Build completed successfully** with Next.js 15.1.9
- All routes compiled successfully
- Static page generation completed
- No errors or warnings

### Advisory Compliance

The project now complies with the React Flight / Next.js RCE advisory:
- Next.js upgraded from vulnerable 15.1.2 to patched 15.1.9
- React and React-DOM versions managed by Next.js dependency resolution
- No React Flight packages directly used in the project

**Implementation Date**: December 7, 2025
**Status**: ✓ Complete and verified

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@vercel

vercel Bot commented Dec 7, 2025

Copy link
Copy Markdown
Author

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
akshit Ready Ready Preview Comment Dec 7, 2025 7:53am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants