Skip to content

Fix React Server Components RCE vulnerability #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
vercel wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Fix React Server Components RCE vulnerability #8

vercel wants to merge 1 commit into from

Conversation

@vercel
Copy link

@vercel vercel bot commented Dec 7, 2025

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project code-brainer. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | [email protected]

@vercel
Update dependencies for React Flight RCE advisory
3305e7c 
# React Flight / Next.js RCE Advisory - Vulnerability Fix

## Summary
Updated the CodeBrainer Next.js project to address the React Flight / Next.js RCE advisory by patching Next.js from a vulnerable version to the patched release.

## Vulnerability Assessment
The project was affected by the advisory:
- **Next.js 15.5.4** (VULNERABLE) ➜ **15.5.7** (PATCHED) ✅
- **React 19.1.0** (used by Next.js, not directly vulnerable but affected by advisory)
- **No React Flight packages** in use (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack not present)

## Changes Made

### Modified Files
1. **package.json**
   - Upgraded `next` from `15.5.4` to `15.5.7`
   - Upgraded `eslint-config-next` from `15.5.4` to `15.5.7` (must match Next.js version)

2. **package-lock.json**
   - Updated lock entries for Next.js 15.5.7 and dependencies
   - All patched versions now properly resolved

## Implementation Details

### Why These Changes
- The vulnerability advisory requires Next.js 15.5.x projects to upgrade to version 15.5.7
- The project was using Next.js 15.5.4, which is vulnerable
- No manual React version changes were needed; Next.js 15.5.7 supplies the correct patched React versions automatically
- No React Flight packages were present, so only Next.js patching was required

### Testing & Verification
✅ **Build**: `npm run build` completed successfully with all 33 routes properly generated
✅ **Linter**: `npm run lint` runs without any new errors (pre-existing warnings only)
✅ **Dependencies**: `npm install` completed with proper lockfile resolution
✅ **Lockfile**: Verified Next.js 15.5.7 is correctly resolved in package-lock.json

## Notes
- The project structure and application logic remain unchanged
- Only dependency versions were updated as required by the security advisory
- React 19.1.0 and React DOM 19.1.0 were not changed as Next.js 15.5.7 is compatible with these versions and supplies them automatically

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@vercel
Copy link
Author

vercel bot commented Dec 7, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
code-brainer Ready Ready Preview Comment Dec 7, 2025 7:38am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant