Fix React Server Components CVE vulnerabilities#10
Fix React Server Components CVE vulnerabilities#10vercel[bot] wants to merge 1 commit intomasterfrom
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This automated pull request addresses critical security vulnerabilities in React Server Components (CVE-2025-55182 and CVE-2025-66478) by upgrading Next.js from version ^15.0.3 to 15.0.7. The update includes corresponding changes to the dependency tree.
- Upgrades Next.js to patched version 15.0.7
- Updates Next.js SWC compiler binaries to version 15.0.5
- Downgrades Sharp image processing library from 0.34.x to 0.33.x (compatibility requirement)
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates Next.js version from ^15.0.3 to pinned 15.0.7 |
| package-lock.json | Updates lockfile with new Next.js version, SWC binaries at 15.0.5, Sharp downgraded to 0.33.5, adds new dependencies (busboy, @swc/counter, color utilities), and removes some optional Sharp platform binaries |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "framer-motion": "^11.12.0", | ||
| "lucide-react": "^0.456.0", | ||
| "next": "^15.0.3", | ||
| "next": "15.0.7", |
There was a problem hiding this comment.
The Next.js version has been changed from a flexible range ^15.0.3 to an exact pinned version 15.0.7. This removes the caret (^) operator, which means future patch updates will not be automatically applied. Consider using ^15.0.7 instead to allow automatic patch updates for future security fixes while staying within the 15.0.x range.
| "next": "15.0.7", | |
| "next": "^15.0.7", |
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project 7419tech. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com