Commit 9c0e0de
committed
fix(security): update Next.js to 14.2.35 and fix 14 vulnerabilities
Reviewed incident dove-zebra regarding critical React2Shell RCE
vulnerabilities (CVE-2025-55182, CVE-2025-66478).
This repository was NOT affected by the critical RCE (CVSS 10.0)
because:
- Next.js 14.x stable is explicitly not affected per official advisory
- React 18.x does not include vulnerable RSC packages (React 19 only)
However, pnpm audit identified 14 other vulnerabilities that needed
remediation.
- next: 14.0.4 → 14.2.35 (fixes 13 CVEs)
- eslint-config-next: 14.0.0 → 14.2.35
- eslint: 8.52.0 → 8.57.1 (peer dependency requirement)
- lint-staged: 15.0.2 → 15.5.2 (fixes micromatch ReDoS)
- Added pnpm override for glob@>=10.5.0 (transitive vulnerability)
- TypeScript compilation: ✅ passed
- Next.js build compilation: ✅ passed
- pnpm audit: 0 vulnerabilities
Advisory:
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://nextjs.org/blog/CVE-2025-66478
Incident:
- https://app.incident.io/lightspeedhq/incidents/3042
- https://docs.google.com/spreadsheets/d/1Ac7vCVjknlTXZWK01G3poQrXrZX78uVrYE2P2Yk5y_o/edit?usp=sharing1 parent 632884e commit 9c0e0de
2 files changed
+1741
-1069
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | 3 | | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
4 | 9 | | |
5 | 10 | | |
6 | 11 | | |
| |||
26 | 31 | | |
27 | 32 | | |
28 | 33 | | |
29 | | - | |
| 34 | + | |
30 | 35 | | |
31 | 36 | | |
32 | 37 | | |
| |||
38 | 43 | | |
39 | 44 | | |
40 | 45 | | |
41 | | - | |
42 | | - | |
| 46 | + | |
| 47 | + | |
43 | 48 | | |
44 | 49 | | |
45 | | - | |
| 50 | + | |
46 | 51 | | |
47 | 52 | | |
48 | 53 | | |
| |||
0 commit comments