Fix React Server Components RCE vulnerability #248
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# React Flight / Next.js RCE Advisory - Remediation Report ## Summary Successfully addressed the React Flight / Next.js RCE advisory for the pathogen-platform repository. ## Affected Assessment ✅ **Project is affected** - Uses Next.js with a vulnerable pre-release version: - **Next.js**: Was on `^15.4.0-canary.86` (canary/pre-release version before patched 15.4.8) - **React**: `^19.1.0` (managed by Next.js) - **React-DOM**: `^19.1.0` (managed by Next.js) - **React Flight packages**: None used (react-server-dom-* packages not in dependencies) ## Changes Implemented ### 1. package.json **Changed:** - `"next": "^15.4.0-canary.86"` → `"next": "15.4.8"` - This upgrades to the official patched version for the 15.4.x series per the advisory **Why:** The original canary version was a pre-release that predated the security patch. The advisory specifies that Next.js 15.4.x projects must be upgraded to 15.4.8. ### 2. next.config.mjs **Changed:** - Removed `ppr: "incremental"` from experimental features - Kept `reactCompiler: true` (compatible with stable versions) **Why:** The `ppr: "incremental"` feature only works with Next.js canary versions. Since we're upgrading to a stable version (15.4.8), this experimental feature is incompatible and must be removed to allow the build to succeed. ### 3. bun.lock **Updated:** Lockfile regenerated to resolve dependencies with Next.js 15.4.8 - Contains verified patch: `"next": ["[email protected]", ...]` - All 866 packages properly resolved - No dependency conflicts introduced ## React and React-DOM Management ✅ **Correct approach followed:** - **Did NOT manually update React/React-DOM**: Per advisory guidance for Next.js projects, React and React-DOM versions are automatically managed by Next.js - React 19.1.0 remains in package.json (Next.js will supply correct patched versions automatically) - No React Flight packages required updating (project doesn't use them) ## Verification Performed ✅ **Build verification:** - Next.js 15.4.8 compiles successfully - React Compiler experimental feature works correctly - No dependency resolution errors - All 866 packages properly installed ✅ **Lockfile validation:** - bun.lock updated with exact patched version: `[email protected]` - All peer dependencies satisfied - No conflicting version constraints ## Security Impact - **Vulnerability Fixed**: Project now uses Next.js 15.4.8, which includes patches for the React Flight / Next.js RCE advisory - **No React Flight packages exposed**: Project uses Next.js server components but doesn't directly depend on vulnerable react-server-dom-* packages - **React versions secured**: React 19.1.0 is compatible with patched Next.js 15.4.8 ## Files Modified 1. `package.json` - Updated Next.js version from canary to patched stable version 2. `next.config.mjs` - Removed incompatible canary-only experimental feature 3. `bun.lock` - Regenerated to reflect dependency resolution with patched versions ## Notes - The project's Notion API integration requires environment variables to function (unrelated to this security update) - All changes are minimal and focused solely on addressing the RCE advisory - Existing application functionality preserved - No breaking changes introduced Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Contributor
Author
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
joshbaskaran
approved these changes
Dec 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project pathogen-platform. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
React Advisory: CVE-2025-55182
Next.js Advisory: CVE-2025-66478
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | [email protected]