Fix React Server Components CVE vulnerabilities#27
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "@next/swc-linux-x64-gnu": "15.2.5", | ||
| "@next/swc-linux-x64-musl": "15.2.5", | ||
| "@next/swc-win32-arm64-msvc": "15.2.5", | ||
| "@next/swc-win32-x64-msvc": "15.2.5", |
There was a problem hiding this comment.
Bug: React packages remain at vulnerable version 19.0.0
The PR claims to fix CVE-2025-55182 (React2Shell) by upgrading "affected React and Next.js packages" but only upgrades Next.js from 15.2.4 to 15.2.8. The react and react-dom packages remain locked at version 19.0.0 in the lockfile, which is the vulnerable version. According to the referenced CVE, React needs to be upgraded to at least 19.0.1 to remediate the remote code execution vulnerability. This leaves the application exposed to the critical RCE vulnerability despite the stated fix.
Additional Locations (1)
1 participant
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project progress-bars. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com
Note
Upgrades
nextto15.2.8, updating related@next/*packages in the lockfile.nextfrom15.2.4to15.2.8inpackage.json.@next/envand platform-specific@next/swc-*packages inpackage-lock.json.Written by Cursor Bugbot for commit a11e372. This will update automatically on new commits. Configure here.