Skip to content

Fix React Server Components RCE vulnerability#1

Merged
legffy merged 1 commit intomainfrom
vercel/react-flight-rce-vulnerability-kfpcpy
Dec 8, 2025
Merged

Fix React Server Components RCE vulnerability#1
legffy merged 1 commit intomainfrom
vercel/react-flight-rce-vulnerability-kfpcpy

Conversation

@vercel
Copy link
Copy Markdown
Contributor

@vercel vercel bot commented Dec 8, 2025

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project blinders. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

@vercel
Update React Flight RCE vulnerability patches
46b5643 
## React Flight / Next.js RCE Advisory Security Update

### Summary
Updated the Blinders repository to address the React Flight / Next.js RCE advisory by patching affected Next.js versions.

### Affected Components Identified
- **./web**: Uses Next.js 15.5.4 with React 19.1.0 - **VULNERABLE**
- **./extensionVite**: Vite-based React app with no Next.js or React Flight packages - **NOT AFFECTED**

### Changes Made

#### 1. Updated ./web/package.json
- **next**: 15.5.4 → 15.5.7 (patched version for 15.5.x)
- **eslint-config-next**: 15.5.4 → 15.5.7 (to match Next.js version)
- **react** and **react-dom**: Left unchanged at 19.1.0 (Next.js will supply patched versions automatically)

#### 2. Updated Dependencies
- Ran `npm install` in ./web directory to update package-lock.json with the patched Next.js 15.5.7

### Verification Steps Completed
✅ **Dependency Resolution**: Confirmed that package-lock.json now contains Next.js 15.5.7
✅ **Build Verification**: Successfully ran `next build` - completed without errors
✅ **Linting**: Ran `eslint` - no linting errors introduced
✅ **No Breaking Changes**: Confirmed the build succeeded with the patched version

### Why These Changes
The React Flight / Next.js RCE advisory affects the mentioned packages. The web application uses Next.js 15.5.4, which falls under the 15.5.x range requiring an upgrade to 15.5.7. According to the vulnerability guidelines:
- For Next.js 15.5.x: upgrade to 15.5.7 (patched version)
- React and react-dom are not updated manually in Next.js projects, as Next.js supplies the correct patched versions automatically

### Files Modified
- **./web/package.json** - Updated Next.js version pins
- **./web/package-lock.json** - Updated by npm install (auto-generated)

### Files Not Modified
- **./extensionVite/package.json** - Not affected (no Next.js or React Flight packages)
- Application code and configuration files - No logic changes needed

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@vercel
Copy link
Copy Markdown
Contributor Author

vercel bot commented Dec 8, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
blinders Ready Ready Preview Comment Dec 8, 2025 4:39pm

@legffy
Copy link
Copy Markdown
Owner

legffy commented Dec 8, 2025

Next.js Fix

@legffy legffy marked this pull request as ready for review December 8, 2025 16:42
@legffy legffy merged commit 24f7f1f into main Dec 8, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@legffy legffy legffy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@legffy