Skip to content

[WIP] Update React and Next versions to address vulnerability #1613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 1 commit into
base: canary
Choose a base branch
from
Draft

[WIP] Update React and Next versions to address vulnerability #1613

Copilot wants to merge 1 commit into from

Conversation

Copy link

Copilot AI commented Dec 6, 2025

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

Original prompt

we need to update the react and the next version of this repo against the vulnerabity that was found . PLease create this PR
|
AI Cloud

Core Platform

Security

Learn

Company

Open Source

Tools

Use Cases

Users

Blog / Changelog

Summary of CVE-2025-55182
Authors

2 min read

Copy URL
Copied to clipboard!
Dec 3, 2025
Link to headingSummary
A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478). Under certain conditions, specially crafted requests could lead to unintended remote code execution.

We created new rules to address this vulnerability and quickly deployed to the Vercel WAF to automatically protect all projects hosted on Vercel at no cost. However, do not rely on the WAF for full protection. Immediate upgrades to a patched version are required. We also worked with the React team to deliver recommendations to the largest WAF and CDN providers.

We still strongly recommend upgrading to a patched version regardless of your hosting provider.

Link to headingImpact
Applications using affected versions of the React Server Components implementation may process untrusted input in a way that allows an attacker to perform remote code execution. The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of the following packages: :

react-server-dom-parcel (19.0.0, 19.1.0, 19.1.1, and 19.2.0)

react-server-dom-webpack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)

react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)

These packages are included in the following frameworks and bundlers:

Next.js with versions ≥14.3.0-canary.77, ≥15 and ≥16

Other frameworks and plugins that embed or depend on React Server Components implementation (e.g., Vite, Parcel, React Router, RedwoodSDK, Waku)

Link to headingResolution
After creating mitigations to address this vulnerability, we deployed them across our globally-distributed platform to quickly protect our customers. We still recommend upgrading to the latest patched version.

Updated releases of React and affected downstream frameworks include hardened handling of user inputs to prevent unintended behavior. All users should upgrade to a patched version as soon as possible. If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release.

Link to headingFixed in:
React: 19.0.1, 19.1.2, 19.2.1

Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 15.6.0-canary.58, 16.0.7

Frameworks and bundlers using the aforementioned packages should install the latest versions provided by their respective maintainers.

Link to headingCredit
Thanks to Lachlan Davidson for identifying and responsibly reporting the vulnerability, and the Meta Security and React team for their partnership.

Link to headingReferences
Next.js GHSA

React GHSA

Ready to deploy? Start building with a free account. Speak to an expert for your Pro or Enterprise needs.

Explore Vercel Enterprise with an interactive product tour, trial, or a personalized demo.

Products
AI
Enterprise
Fluid Compute
Next.js
Observability
Previews
Rendering
Security
Turbo
Domains
Sandbox
v0
Resources
Community
Docs
Knowledge Base
Academy
Help
Integrations
Pricing
Resources
Solution Partners
Startups
Templates
Company
About
Blog
Careers
Changelog
Contact Us
Customers
Events
Partners
Shipped
Privacy Policy
Social
GitHub
LinkedIn
Twitter
YouTube
Loading status…

Select a display theme:

system

light

dark

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@vercel
Copy link

vercel bot commented Dec 6, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
nounspace-ts Ready Ready Preview Comment Dec 6, 2025 5:40pm

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 6, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI requested a review from sktbrd December 6, 2025 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sktbrd sktbrd Awaiting requested review from sktbrd

At least 1 approving review is required to merge this pull request.

Assignees

@sktbrd sktbrd

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sktbrd