React Version updated for security reasons

[nirnejak]

Pull Request

Summary

React Version updated for security fix - Reference - https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that causes existing functionality to change)
• Documentation update
• Refactoring/code cleanup
• Content update (blog posts, tools data, etc.)

Changes Made

Testing

• Local development tested
• Build passes (npm run build)
• No TypeScript errors
• No linting errors
• Manual testing completed

Database Changes (if applicable)

• Database migration included
• Migration tested locally
• Rollback plan documented

Content Changes (if applicable)

• Tool data updated in src/lib/toolData.json
• Blog post follows content guidelines
• Images optimized and properly sized
• SEO metadata updated

UI/UX Changes (if applicable)

• Responsive design tested
• Accessibility considerations addressed
• Dark mode compatibility verified
• Loading states implemented

Checklist

• Code follows project style guidelines
• Self-review completed
• Documentation updated if needed
• No new console warnings or errors
• Performance impact considered

Screenshots/Demo

Related Issues

Additional Notes

Summary by CodeRabbit

• Chores
  • Upgraded React and TypeScript type definition packages to the latest compatible versions for improved stability.
  • Refined TypeScript build configuration to enhance type resolution and development tooling integration.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
devtoolsacademy	Ready	Preview	Comment	Dec 3, 2025 10:24pm

[coderabbitai]

Walkthrough

This pull request updates React and TypeScript type definition versions to patch releases (^19.2.x), reformats tsconfig.json arrays to multi-line format, and adds a new include path for Next.js dev types compilation.

Changes

Cohort / File(s)	Summary
Dependency Updates package.json	Updated React, React DOM, and their TypeScript type definitions to newer patch versions: react and react-dom from ^19.1.0 to ^19.2.1; @types/react from ^19.1.6 to ^19.2.7; @types/react-dom from ^19.1.5 to ^19.2.3
Configuration Changes tsconfig.json	Reformatted JSON arrays from single-line to multi-line representations for readability; added ".next/dev/types/**/*.ts" to the include section for TypeScript compilation

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Dependency version updates are routine patch-level bumps with no breaking changes
• Configuration formatting changes are cosmetic and non-functional
• No logic or structural changes to review

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete: the 'Changes Made' section is empty despite significant updates to package.json and tsconfig.json. Additionally, several checklist items are left unchecked despite claims of testing.	Add specific changes under 'Changes Made' section (React version bump, TypeScript types update, tsconfig.json modifications). Verify and check all applicable testing and checklist items accurately.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: updating React versions for security reasons, which aligns with the package.json modifications and the PR's stated objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch react-security-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between af5a904 and b37e47f.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json (2 hunks)
• tsconfig.json (3 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-04-14T07:46:36.019Z

Learnt from: tyaga001
Repo: tyaga001/devtoolsacademy PR: 110
File: package.json:39-39
Timestamp: 2025-04-14T07:46:36.019Z
Learning: The "prisma" package should be placed in devDependencies rather than dependencies, as it's only needed during development. The "prisma/client" package should remain in dependencies as it's used at runtime.

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build (20.x)
• GitHub Check: build (18.x)

🔇 Additional comments (4)

tsconfig.json (2)

3-7: JSON formatting improvements approved.

Converting arrays to multi-line format improves readability and is standard practice. No functional changes here.

Also applies to: 20-26, 33-44, 58-60

---

56-56: Include path addition for Next.js dev types is appropriate.

Adding ".next/dev/types/**/*.ts" enables TypeScript compilation of Next.js dev-time type definitions. This complements the React 19.2.x type updates and aligns with Next.js best practices.

package.json (2)

39-40: React security patch applied correctly.

React 19.2.1 patches CVE-2025-55182. This is the correct fixed version for the critical CVSS 10.0 React Server Components vulnerability.

---

51-52: Type definitions are appropriately versioned.

@types/react and @types/react-dom versions align with the React 19.2.1 runtime. The type definitions support proper TypeScript compilation with the patched React versions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

CVE-2025-66478 Next.js vulnerability

💡 Result:

Short summary — CVE-2025-66478

• What it is: a critical remote‑code‑execution (RCE) issue in the React Server Components (RSC) “flight”/deserialization handling that also affects Next.js App Router. An attacker can send a crafted HTTP request to a Server Function / RSC endpoint to achieve unauthenticated code execution on the server. [1][2]

• Affected packages / versions:

  • React RSC packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack versions 19.0.0, 19.1.0, 19.1.1, 19.2.0. [1]
  • Next.js: App‑Router builds in Next.js 15.x and 16.x (>=14.3.0-canary.77 / broadly 15+ / 16+). [1][2]

• Fixed versions / immediate action:

  • Upgrade React RSC packages to patched releases: 19.0.1, 19.1.2, 19.2.1. [1]
  • Upgrade Next.js to the patched releases (examples published by the Next.js team include 15.0.5 and later/other 15.x and 16.x patches — upgrade to the latest 15.x or 16.x release that contains the fix and redeploy). [2][3]
  • If you host on Vercel: Vercel has deployed platform protections; still update your app to patched versions as soon as possible. [2][3]

• Risk / urgency: CVSS 10.0 — treat as critical. Patch immediately and redeploy; if you cannot update immediately, apply host‑level WAF or blocking rules to RSC/Server Function endpoints and restrict access where possible while you patch. [1][2]

Sources: The Hacker News (summary of disclosure) [1]; aggregated GitHub advisory / CVE record and vendor advisories (GHSA / Vercel summaries) [2]; Next.js vendor guidance / community notes (upgrade recommendations) [3].

---

🌐 Web query:

Next.js 15.3.6 security patch CVE

💡 Result:

Next.js v15.3.6 is not vulnerable to the App‑Router cache‑poisoning issue tracked as CVE‑2025‑49005 (that affected >=15.3.0 and <15.3.3 and was fixed in 15.3.3). See Vercel's advisory and the GitHub/NVD entries. [1][2][3]

Related Next.js CVEs you may want to review (already fixed in other releases): CVE‑2025‑32421, CVE‑2025‑49826, CVE‑2025‑29927. Check Next.js/Vercel changelogs and advisories for mitigation details and to confirm you’re on a patched release. [4][5][6]

Sources:

• Vercel changelog: CVE‑2025‑49005. [1]
• GitHub Advisory (GHSA / CVE‑2025‑49005). [2]
• NVD entry for CVE‑2025‑49005. [3]
• NVD/GitLab advisories for other Next.js CVEs (CVE‑2025‑32421, CVE‑2025‑49826). [4][5]
• Vercel changelogs / Next.js release notes. [6]

---

🌐 Web query:

Next.js React Server Components vulnerability 2025

💡 Result:

Short summary — two notable 2025 RSC-related issues:

• Critical RCE in React Server Components / Server Functions (CVE-2025-55182) disclosed Dec 3, 2025 — allows unauthenticated remote code execution via crafted RSC payloads; React and downstream frameworks/hosts released mitigations; upgrade React/Next.js and apply host patches immediately. (thehackernews.com)

• Cache-poisoning bug in Next.js App Router (CVE-2025-49005) disclosed Jul 3, 2025 — RSC payloads could be cached/served as HTML when middleware/redirects were present; fixed in Next.js 15.3.3 (upgrade + redeploy). (nvd.nist.gov)

Action items: upgrade Next.js/React to patched versions, redeploy, apply platform (Vercel/Netlify) advisories, and review caches/CDN Vary/keys. (netlify.com)

Citations:

• 1: https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html?utm_source=openai
• 2: https://nvd.nist.gov/vuln/detail/CVE-2025-49005?utm_source=openai
• 3: https://www.netlify.com/changelog/2025-12-03-react-security-vulnerability-response/?utm_source=openai

---

🌐 Web query:

CVE-2025-66478 vs CVE-2025-55182 Next.js React

💡 Result:

Short answer: CVE-2025-55182 is the root React vulnerability (React Server Components / Flight protocol — unsafe deserialization enabling unauthenticated RCE). CVE-2025-66478 is the Next.js/Downstream tracking/duplicate CVE for the same issue as it affects Next.js App Router. Both are critical (CVSS 10) and require immediate patching. [1][2][3]

Key details

• Root cause: unsafe decoding/deserialization in React Server Components (RSC / Flight) allowing unauthenticated remote code execution. [2][3]
• Affected packages/versions:
  • React RSC packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack — versions 19.0.0, 19.1.0, 19.1.1, 19.2.0. [1][2]
  • Next.js (App Router): >=14.3.0-canary.77, 15.x and 16.x (specific affected ranges published by Next/Vercel). [1][3]
• Patched releases:
  • React: 19.0.1, 19.1.2, 19.2.1. [1][2]
  • Next.js: 15.0.5 and subsequent point releases listed by Vercel (also 16.0.7, etc.) — upgrade to the listed patched Next.js versions. [1]
• Operational notes: Vercel has deployed platform-level mitigations but recommends everyone upgrade; apply WAF/request-filtering as temporary mitigation if you can’t patch immediately. [1]

Sources

• Vercel changelog / advisory (summary, affected versions, patched releases). [1]
• Wiz technical advisory (root cause: logical deserialization in RSC). [2]
• The Hacker News coverage summarizing impact and affected Next.js versions. [3]

If you want, I can: (a) list exact Next.js patched versions for your current version, (b) give the minimal npm/yarn commands to upgrade and test, or (c) generate WAF rules/NGINX examples to block likely exploit patterns.

---

🌐 Web query:

"Next.js 15.3.6" CVE-2025-66478

💡 Result:

Short answer: CVE-2025-66478 is the Next.js identifier for a critical Remote Code Execution (RCE) issue tied to the React Server Components "flight" protocol (root CVE: CVE-2025-55182). It affects Next.js App Router usages in 15.x/16.x (including builds around 15.3.6) and is rated critical (CVSS 10.0). Mitigation: upgrade immediately to the patched Next.js releases (and patched React 19.x releases) and redeploy; platform hosts (Vercel/Netlify/Cloudflare/etc.) have also applied protective WAF/platform rules. [1][2][3]

References

• The Hacker News — summary of the React/Next.js RSC RCE (CVE-2025-55182 / CVE-2025-66478). [1]
• GitHub / Next.js security advisories (Next.js App Router cache/RSC advisories and GHSA entries). [2]
• Netlify incident / vendor advisory describing affected Next.js 15.x/16.x and mitigations. [3]

---

🌐 Web query:

Next.js 15.3.6 release notes security

💡 Result:

Yes — Next.js 15.3.6 is a security patch. It includes the fix for the critical React Server Components vulnerability (CVE-2025-55182 / Next.js CVE-2025-66478) that can allow unauthenticated remote code execution via RSC payloads; Next.js 15.3.6 is listed among the patched Next.js versions. Upgrade immediately if you run affected releases. [1][2]

Note: earlier 15.3.x releases also addressed a cache-poisoning issue (CVE-2025-49005) in 15.3.3 — ensure you’re on 15.3.6 or later and redeploy. [3]

Sources:

• Vercel changelog (summary of CVE-2025-55182 / patched Next.js versions). [1]
• Coverage of the RSC RCE vulnerability and affected versions. [2]
• GitHub/GitLab advisory for the 15.3.0–15.3.3 cache-poisoning issue (CVE-2025-49005). [3]

---

Update Next.js to 15.3.6 or later to address CVE-2025-66478.

Next.js 15.3.3 is vulnerable to CVE-2025-66478, a critical remote code execution vulnerability in React Server Components deserialization (CVSS 10.0). This affects Next.js App Router builds where RSC is enabled by default. Upgrade to Next.js 15.3.6 or later immediately.

-    "next": "^15.3.3",
+    "next": "^15.3.6",

Also ensure React and related RSC packages are updated to patched versions (React 19.0.1, 19.1.2, or 19.2.1). Redeploy after upgrading.

🤖 Prompt for AI Agents

In package.json around line 37, Next.js is pinned to "next": "^15.3.3" which is
vulnerable to CVE-2025-66478; update the Next dependency to at least "next":
"^15.3.6" (or later), also bump React and any RSC-related packages to patched
releases (React 19.0.1, 19.1.2, or 19.2.1 as appropriate), run your package
manager (npm/yarn/pnpm) to install the updated versions, run the app build and
tests, and redeploy.