From 241167da0a9e18f820c3783f00e6e86c108f3693 Mon Sep 17 00:00:00 2001 From: Rick Hanlon Date: Thu, 11 Dec 2025 17:11:02 -0500 Subject: [PATCH] Update instructions --- ...ulnerability-in-react-server-components.md | 31 +++++++++++++------ ...ode-exposure-in-react-server-components.md | 19 ++++++------ 2 files changed, 31 insertions(+), 19 deletions(-) diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md index 3fe7c0bd290..d47730ecd4f 100644 --- a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md +++ b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md @@ -58,27 +58,40 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F ## Update Instructions {/*update-instructions*/} + + +These instructions have been updated to include the new vulnerabilities: + + +- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5) +- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) + +See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info. + + + ### Next.js {/*update-next-js*/} All users should upgrade to the latest patched version in their release line: ```bash -npm install next@15.0.5 // for 15.0.x -npm install next@15.1.9 // for 15.1.x -npm install next@15.2.6 // for 15.2.x -npm install next@15.3.6 // for 15.3.x -npm install next@15.4.8 // for 15.4.x -npm install next@15.5.7 // for 15.5.x -npm install next@16.0.7 // for 16.0.x +npm install next@14.2.34 // for 14.x +npm install next@15.0.6 // for 15.0.x +npm install next@15.1.10 // for 15.1.x +npm install next@15.2.7 // for 15.2.x +npm install next@15.3.7 // for 15.3.x +npm install next@15.4.9 // for 15.4.x +npm install next@15.5.8 // for 15.5.x +npm install next@16.0.9 // for 16.0.x ``` -If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release: +If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release: ```bash npm install next@14 ``` -See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info. +See the [Next.js blog](https://nextjs.org/blog/security-update-2025-12-11) for the latest update instructions and the [previous changelog](https://nextjs.org/blog/CVE-2025-66478) for more info. ### React Router {/*update-react-router*/} diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md index ed491cddcd4..54e4a87608a 100644 --- a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md +++ b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md @@ -26,20 +26,15 @@ The new vulnerabilities are disclosed as: - **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5) - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3) -These issues are present in the patches published last week. - We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities. - -#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/} - -When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed. +#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/} -This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix. +If you already updated for the Critical Security Vulnerability, you will need to update again. -Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle. +Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps. @@ -61,9 +56,13 @@ As before, if your app’s React code does not use a server, your app is not aff -#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/} +#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/} -If you already updated for the Critical Security Vulnerability, you will need to update again. +When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed. + +This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix. + +Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.