Fix React Server Components RCE vulnerability #882
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## React Flight / Next.js RCE Advisory Fix
### Summary
Updated the relay-kit monorepo to address the React Flight / Next.js RCE advisory by ensuring the affected demo application uses a patched version of Next.js.
### Analysis Results
The monorepo was scanned for packages affected by the React Flight / Next.js RCE advisory:
**Affected Packages Detected:**
- `demo/package.json`: Contains `next` (Next.js framework)
**Not Affected:**
- No `react-server-dom-webpack`, `react-server-dom-parcel`, or `react-server-dom-turbopack` packages found
- All other workspace packages are library packages without Next.js or React Flight dependencies
### Changes Made
#### Modified Files:
1. **demo/package.json**
- Updated `next` from `"latest"` to `"15.5.7"` (patched version for 15.5.x line)
- Reason: Next.js 15.5.7 is the patched version that addresses the React Flight RCE vulnerability
2. **pnpm-lock.yaml**
- Updated lock file to reflect the pinned Next.js 15.5.7 version
- Lock file now resolves to:
- `[email protected]` (patched)
- `[email protected]` (safe - not vulnerable)
- `[email protected]` (safe - matches React version)
### Technical Details
**Vulnerability Context:**
The advisory addresses an RCE vulnerability in React Flight / Next.js:
- Next.js 15.5.x: Patched version is 15.5.7
- The project was using `"latest"` which was resolving to 15.5.5, an older version
- Upgraded to explicitly pin 15.5.7, the patched version
**Why React versions were not manually updated:**
- This is a Next.js project, so Next.js handles React version management automatically
- React 19.1.1 is safe (not one of the vulnerable versions: 19.0.0, 19.1.0, 19.2.0)
- No manual React version changes were needed
**Non-Affected Packages:**
- The workspace contains utility packages (SDK, hooks, UI components, adapters) that are library packages
- None of these depend on Next.js or React Flight packages
- They remain unchanged as they are not affected by this vulnerability
### Verification
- Lock file correctly resolves to `[email protected]`
- React and react-dom versions are compatible with the patched Next.js
- No React Flight packages are present in the codebase
- All dependencies have been successfully resolved via `pnpm install`
### Implementation Notes
- Only the affected package (demo) was updated
- The fix follows the advisory guidance for Next.js 15.x projects
- No breaking changes or additional configuration was required
- The update is minimal and focused, ensuring no unintended side effects
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Contributor
Author
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
pedromcunha
approved these changes
Dec 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project relay-sdk-demo. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
React Advisory: CVE-2025-55182
Next.js Advisory: CVE-2025-66478
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | [email protected]