Fix React Server Components CVE vulnerabilities#1
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR updates Next.js from version ^15.3.6 to 15.3.8 to patch critical React Server Components CVE vulnerabilities (CVE-2025-55182, CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779). The update is automatically generated by Vercel to ensure the application is protected against known security vulnerabilities in React Server Components.
Key Changes
- Updates Next.js to version 15.3.8 with security patches
- Updates @next/env dependency to match the new Next.js version
- Removes the caret prefix from the Next.js version specification, pinning it to an exact version
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates Next.js version from ^15.3.6 to 15.3.8 (exact pin) |
| package-lock.json | Updates Next.js and @next/env package versions and integrity hashes to match 15.3.8 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@heroicons/react": "^2.2.0", | ||
| "clsx": "^2.1.1", | ||
| "next": "^15.3.6", | ||
| "next": "15.3.8", |
There was a problem hiding this comment.
The eslint-config-next package on line 75 is currently at version 15.3.4, which is mismatched with the updated Next.js version 15.3.8. The eslint-config-next package should typically match the Next.js version to ensure compatibility and access to the latest linting rules. Consider updating eslint-config-next to 15.3.8 as well.
| "@heroicons/react": "^2.2.0", | ||
| "clsx": "^2.1.1", | ||
| "next": "^15.3.6", | ||
| "next": "15.3.8", |
There was a problem hiding this comment.
The Next.js version is now pinned to an exact version (15.3.8) without a caret prefix, while the original version used ^15.3.6. This removes the ability to automatically receive patch updates. For security-critical dependencies like Next.js, it's better to use the caret prefix (^15.3.8) to allow automatic patch version updates while staying within the same minor version.
| "next": "15.3.8", | |
| "next": "^15.3.8", |
Important
This is an automatic PR generated by Vercel to help you patch known vulnerabilities related to CVE-2025-55182 (React2Shell), CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. We can't guarantee the PR is comprehensive, and it may contain mistakes.
Not all projects are affected by all issues, but patched versions are required to ensure full remediation.
Vercel has deployed WAF mitigations globally to help protect your application, but upgrading remains required for complete protection.
This automated pull request updates your React, Next.js, and related Server Components packages to versions that fix all currently known React Server Components vulnerabilities, including the two newly discovered issues.
See our Security Bulletins for more information and reach out to security@vercel.com with any questions.