Fix React Server Components CVE vulnerabilities#7
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "drizzle-orm": "^0.44.4", | ||
| "lucide-react": "^0.539.0", | ||
| "next": "15.4.6", | ||
| "next": "15.4.10", |
There was a problem hiding this comment.
Incomplete security fix leaves React vulnerable to RCE
High Severity
The PR claims to fix CVE-2025-55182 (React) and CVE-2025-66478 (Next.js) but only upgrades next from 15.4.6 to 15.4.10. The react and react-dom packages remain at version 19.1.0, which is confirmed vulnerable to CVE-2025-55182 according to Snyk's vulnerability database. The PR description explicitly states it "upgrades the affected React and Next.js packages" but React is not actually being upgraded, leaving the RCE vulnerability unpatched and creating a false sense of security.
1 participant
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project querykit. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com
Note
Security-focused dependency update
nextfrom15.4.6to15.4.10inexamples/qk-next/package.jsonto incorporate RSC vulnerability patchespnpm-lock.yaml, updating@next/envand@next/swc-*platform binaries to15.4.8/15.4.10and rebinding@vercel/*packages to the new Next versionWritten by Cursor Bugbot for commit 41bd66b. Configure here.