Skip to content

Fix React Server Components RCE vulnerability #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vercel wants to merge 1 commit into from
Closed

Fix React Server Components RCE vulnerability #40

vercel wants to merge 1 commit into from

Conversation

@vercel
Copy link

@vercel vercel bot commented Dec 8, 2025

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project birdplan-frontend. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

@vercel
Update Next.js/React Flight RCE vulnerability
7636a1f 
## React Flight / Next.js RCE Advisory Security Update Report

### Vulnerability Details
- **CVE-2025-55182 / CVE-2025-66478**: Critical RCE vulnerabilities in React Server Components
- **CVSS Score**: 10.0
- **Affected Packages**: Primarily react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack
- **Affected Next.js Versions**: 15.0.x through 15.5.x, 16.0.x, and certain 14.3.0-canary releases

### Project Assessment

**STATUS: PROJECT WAS VULNERABLE - NOW PATCHED ✅**

This repository has been successfully updated to address the React Flight RCE vulnerability.

### Analysis

#### Monorepo Structure
The project is a monorepo with 4 workspaces:
- `frontend/` - Next.js application (AFFECTED)
- `backend/` - Hono-based Node.js application (Not affected)
- `shared/` - TypeScript utilities (Not affected)
- `scripts/` - Utility scripts (Not affected)

### Changes Made

#### 1. Frontend Next.js Upgrade

**File: `frontend/package.json`**

Updated Next.js and related dependencies from vulnerable to patched versions:

| Package | Original | Updated | Status |
|---------|----------|---------|--------|
| `next` | 15.2.0 | 15.2.6 | ✅ Patched |
| `eslint-config-next` | 15.2.0 | 15.2.6 | ✅ Updated |

**Rationale:**
- Next.js 15.2.0 is vulnerable to CVE-2025-55182
- Next.js 15.2.6 is the patched version for the 15.2.x line per the official advisory
- `eslint-config-next` version must match the Next.js version for compatibility

**Why React wasn't modified:**
- Per the official React security advisory: "react and react-dom themselves are not vulnerable"
- The project does NOT use React Flight packages (react-server-dom-*)
- React 19.0.0 remains safe to use in this context
- Next.js manages React dependency compatibility automatically

#### 2. Lockfile Update

**File: `package-lock.json`**

- Updated to reflect Next.js 15.2.6 and associated transitive dependencies
- All dependency resolution complete - lockfile shows patched versions throughout
- No React Flight packages added (not required for this project)

### Verification

**Original Versions (Vulnerable):**
```
frontend@0.1.0
├── next@15.2.0 ❌ VULNERABLE
├── eslint-config-next@15.2.0
├── react@19.0.0 (safe without React Flight packages)
└── react-dom@19.0.0 (safe without React Flight packages)
```

**Updated Versions (Patched):**
```
frontend@0.1.0
├── next@15.2.6 ✅ PATCHED
├── eslint-config-next@15.2.6
├── react@19.0.0 (safe without React Flight packages)
└── react-dom@19.0.0 (safe without React Flight packages)
```

**Build Status:**
- Build has a pre-existing TypeScript error in `frontend/pages/_document.tsx` (unrelated to the security update)
- This error exists independently of the React/Next.js version upgrade
- Per requirements: only dependency-related errors were addressed

### What Was NOT Modified

✅ **Correctly excluded from changes:**
- `react` and `react-dom` - not vulnerable by themselves and Next.js manages these
- `react-server-dom-*` packages - project doesn't use React Flight
- Backend, shared, or scripts workspaces - not affected by this vulnerability
- Application code - only dependency versions were updated

### Security Impact

**Vulnerability Mitigation:**
- ✅ Upgraded Next.js from vulnerable 15.2.0 to patched 15.2.6
- ✅ Removed exposure to CVE-2025-55182 and CVE-2025-66478
- ✅ Maintained compatibility with existing React 19.0.0
- ✅ All dependencies resolve correctly in lockfile

### Recommendations

1. ✅ **Deploy immediately** - Security patch is now ready
2. ⚠️ **Consider fixing** the pre-existing TypeScript error in `_document.tsx` for successful builds
3. 📋 **Monitor** for future security advisories and Next.js updates
4. 🔍 **Review** if React Flight packages should be used in the future (not currently needed)

### Files Modified

1. `frontend/package.json` - Next.js and ESLint config version bumps
2. `package-lock.json` - Updated dependency tree
3. `.vade-report` - This security assessment report

---
**Update Type**: Security Patch  
**Severity**: Critical (CVSS 10.0)  
**Risk Level After Update**: Resolved ✅  
**Generated**: December 8, 2025

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@rawcomposition rawcomposition deleted the vercel/nextjsreact-flight-rce-vulnera-b3gja7 branch December 17, 2025 22:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rawcomposition