Fix React Server Components RCE vulnerability #133
Conversation
# React Flight / Next.js RCE Advisory - Remediation Report ## Summary Updated the cs.react.dev repository to address the React Flight / Next.js RCE advisory by upgrading Next.js to a patched version. ## Vulnerability Detection This project was identified as affected because: - **Next.js Dependency**: Found `next@15.1.0` in package.json (vulnerable) - **React Flight Packages**: None used (not affected by React Flight specific vulnerability) - **Monorepo**: eslint-local-rules subdirectory does not use Next.js or React Flight packages ## Changes Made ### Modified Files 1. **package.json** - Upgraded `next` from `15.1.0` to `15.1.9` (patched version for 15.1.x line) - No changes to `react` or `react-dom` versions (Next.js manages these dependencies) 2. **yarn.lock** - Updated to resolve `next@15.1.9` and all related dependencies - Verified lockfile contains exact patched version `15.1.9` ## Implementation Details ### Upgrade Rationale - **Original Version**: `next@15.1.0` (vulnerable) - **Updated Version**: `next@15.1.9` (patched) - **Reason**: Following the official advisory upgrade rules for Next.js 15.1.x line ### Affected Packages - `next`: 15.1.0 → 15.1.9 (primary fix) - All transitive dependencies of Next.js updated automatically by package manager ### Packages NOT Modified - `react@^19.0.0`: Left unchanged (Next.js 15.1.9 provides correct patched React version) - `react-dom@^19.0.0`: Left unchanged (managed by Next.js) - `react-server-dom-*` packages: Not used by this project ## Verification ### Build Status - Next.js compilation: ✓ Successful (with patched 15.1.9) - Linting: ✓ Passed - Dependencies resolved correctly: ✓ Yes ### Lockfile Verification - yarn.lock updated: ✓ Yes - Final resolved version: `next@15.1.9` - All transitive dependencies properly resolved: ✓ Yes ### Build Output The project builds successfully with Next.js 15.1.9. A pre-existing MDX parsing issue in the documentation (unrelated to this advisory) was observed but does not result from the Next.js version upgrade. ## Compliance Checklist - [x] Detected project uses Next.js 15.1.x - [x] Identified no React Flight packages in use - [x] Upgraded Next.js to patched 15.1.9 - [x] Did not modify React/React-DOM versions (managed by Next.js) - [x] Updated lockfile correctly - [x] Verified patched version resolves in lockfile - [x] Build completes successfully - [x] No dependency-related errors introduced ## Files Changed - `package.json`: 1 line changed (next version) - `yarn.lock`: Multiple lines updated (dependency tree changes) Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Size changesDetails📦 Next.js Bundle Analysis for react-devThis analysis was generated by the Next.js Bundle Analysis action. 🤖
|
| Page | Size (compressed) |
|---|---|
global |
110.56 KB (🟡 +9 B) |
Details
The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!
Five Pages Changed Size
The following pages changed size from the code in this PR compared to its base branch:
| Page | Size (compressed) | First Load |
|---|---|---|
/404 |
128.06 KB (🟡 +117 B) |
238.62 KB |
/500 |
128.07 KB (🟡 +117 B) |
238.63 KB |
/[[...markdownPath]] |
130.5 KB (🟡 +117 B) |
241.07 KB |
/errors |
128.31 KB (🟡 +117 B) |
238.87 KB |
/errors/[errorCode] |
128.29 KB (🟡 +117 B) |
238.85 KB |
Details
Only the gzipped size is provided here based on an expert tip.
First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by 10% or more, there will be a red status indicator applied, indicating that special attention should be given to this.
1 participant
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project cs-react-dev. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
React Advisory: CVE-2025-55182
Next.js Advisory: CVE-2025-66478
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com