Skip to content

Update instructions #8195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rickhanlonii merged 1 commit into from
Dec 11, 2025
+31 −19
Merged

Update instructions #8195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 22 additions & 9 deletions ...t/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,27 +58,40 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F

## Update Instructions {/*update-instructions*/}

<Note>

These instructions have been updated to include the new vulnerabilities:


- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5)
- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)

See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info.

</Note>

### Next.js {/*update-next-js*/}

All users should upgrade to the latest patched version in their release line:

```bash
npm install next@15.0.5 // for 15.0.x
npm install next@15.1.9 // for 15.1.x
npm install next@15.2.6 // for 15.2.x
npm install next@15.3.6 // for 15.3.x
npm install next@15.4.8 // for 15.4.x
npm install next@15.5.7 // for 15.5.x
npm install next@16.0.7 // for 16.0.x
npm install next@14.2.34 // for 14.x
npm install next@15.0.6 // for 15.0.x
npm install next@15.1.10 // for 15.1.x
npm install next@15.2.7 // for 15.2.x
npm install next@15.3.7 // for 15.3.x
npm install next@15.4.9 // for 15.4.x
npm install next@15.5.8 // for 15.5.x
npm install next@16.0.9 // for 16.0.x
```

If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release:

```bash
npm install next@14
```

See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
See the [Next.js blog](https://nextjs.org/blog/security-update-2025-12-11) for the latest update instructions and the [previous changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.

### React Router {/*update-react-router*/}

Expand Down
19 changes: 9 additions & 10 deletions .../12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,20 +26,15 @@ The new vulnerabilities are disclosed as:
- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5)
- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)

These issues are present in the patches published last week.

We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities.


<Note>

#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/}

When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.
#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/}

This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix.
If you already updated for the Critical Security Vulnerability, you will need to update again.

Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.
Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.

</Note>

Expand All @@ -61,9 +56,13 @@ As before, if your app’s React code does not use a server, your app is not aff

<Note>

#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/}
#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/}

If you already updated for the Critical Security Vulnerability, you will need to update again.
When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.

This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix.

Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.

</Note>

Expand Down