Fix React Server Components RCE vulnerability

[vercel]

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project infraspec. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

• GitHub Security Advisory: GHSA-9qr9-h5gf-34mp

• React Advisory: CVE-2025-55182

• Next.js Advisory: CVE-2025-66478

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
infraspec	Ready	Preview	Comment	Dec 9, 2025 11:18pm

[claude]

Security Patch Review - Next.js RCE Vulnerability

Thank you for the automated security patch from Vercel. I've reviewed this PR and have the following observations:

✅ Positive Aspects

1. Critical Security Fix: This PR addresses CVE-2025-55182, a critical Remote Code Execution vulnerability in React Server Components. Applying this patch is essential.

2. Clean Dependency Update: The changes are minimal and focused:

   • Updates next from ^15.3.3 to 15.3.6 in package.json
   • Updates all related @next/swc-* platform-specific binaries
   • Adds required new dependencies (@swc/counter, busboy, streamsearch)

3. Lockfile Integrity: The package-lock.json changes are consistent with the version bump and maintain proper dependency resolution.

⚠️ Concerns & Questions

1. Version Downgrade Confusion:

   • The current package-lock.json shows Next.js 15.5.6 is installed
   • This PR appears to downgrade to 15.3.6
   • The package.json previously specified ^15.3.3 (allowing 15.5.6 via semver)
   • Question: Is 15.3.6 truly the patched version, or should we be upgrading to a newer 15.5.x or 15.6.x version that includes the fix?

2. Missing Test Coverage:

   • No CI workflow tests the website build
   • The .github/workflows/test.yml only tests Go code
   • Recommendation: Consider adding a website build verification step to CI

3. Semver Pin:

   • The PR changes from ^15.3.3 (flexible) to 15.3.6 (pinned)
   • This prevents automatic patch updates
   • Consideration: Future security patches in the 15.3.x line won't auto-apply

🔍 Verification Needed

Before merging, please verify:

1. Version Correctness: Confirm that Next.js 15.3.6 is indeed the correct patched version for CVE-2025-55182. The version downgrade from 15.5.6 → 15.3.6 seems unusual for a security patch.

2. Build Test: Run cd website && npm install && npm run build to ensure the website builds successfully with these changes.

3. Advisory Cross-Reference: Verify the linked advisories (GHSA-9qr9-h5gf-34mp, CVE-2025-55182, CVE-2025-66478) specifically list 15.3.6 as a patched version.

📋 Testing Recommendations

cd website
npm install
npm run build
npm run start # Verify the site runs

🎯 Overall Assessment

Status: ⚠️ Needs Clarification before merging

While addressing the RCE vulnerability is critical and urgent, the apparent version downgrade raises questions about whether this is the correct fix. Please verify with Vercel or check the official Next.js security advisory to confirm 15.3.6 is the intended patched version.

---

Note: This review follows the InfraSpec project's coding standards and security best practices as outlined in CLAUDE.md.