feat: Add CVE-2025-55182 support for React core packages

README.md

@@ -2,7 +2,7 @@
 
 ![fix-react2shell-next](https://raw.githubusercontent.com/vercel-labs/fix-react2shell-next/main/cli.gif)
 
-One command to fix **[CVE-2025-66478](https://nextjs.org/blog/CVE-2025-66478)** (React 2 Shell RCE) in your Next.js / React RSC app.
+One command to fix multiple React/Next.js security vulnerabilities in your Next.js / React RSC app.
 
 ```bash
 npx fix-react2shell-next
@@ -38,13 +38,46 @@ Deterministic version bumps per the official advisories.
 | 16.x canaries | 16.1.0-canary.12 |
 | 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5 |
 
-### React RSC Packages
+### React Server Components (CVE-2025-55182)
 
 | Current Version | Patched Version |
 |-----------------|-----------------|
-| 19.0.0 | 19.0.1 |
-| 19.1.0, 19.1.1 | 19.1.2 |
-| 19.2.0 | 19.2.1 |
+| 19.0.0 | 19.0.2 |
+| 19.1.0, 19.1.1 | 19.1.3 |
+| 19.2.0 | 19.2.2 |
+
+*Applies to: `react`, `react-dom`, `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`*
+
+### React Server Components (CVE-2025-55184)
+
+| Current Version | Patched Version |
+|-----------------|-----------------|
+| 19.0.0, 19.0.1 | 19.0.2 |
+| 19.1.0, 19.1.1, 19.1.2 | 19.1.3 |
+| 19.2.0, 19.2.1 | 19.2.2 |
+
+*Applies to: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`*
+
+### React Server Components (CVE-2025-55183)
+
+| Current Version | Patched Version |
+|-----------------|-----------------|
+| 19.0.0, 19.0.1 | 19.0.2 |
+| 19.1.0, 19.1.1, 19.1.2 | 19.1.3 |
+| 19.2.0, 19.2.1 | 19.2.2 |
+
+*Applies to: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`*
+
+### React Server Components (CVE-2025-67779)
+
+| Current Version | Patched Version |
+|-----------------|-----------------|
+| 19.0.2 | 19.0.3 |
+| 19.1.3 | 19.1.4 |
+| 19.2.2 | 19.2.3 |
+
+*Applies to: `react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`*
+*Note: Incomplete fix follow-up for CVE-2025-55184*
 
 ## Usage
 

lib/vulnerabilities/cve-2025-55182.js

@@ -0,0 +1,77 @@
+/**
+ * CVE-2025-55182: React Server Components RCE
+ * @see https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
+ * @see https://www.facebook.com/security/advisories/cve-2025-55182
+ *
+ * Affected packages:
+ * - react: 19.0.0, 19.1.0, 19.1.1, 19.2.0
+ * - react-dom: 19.0.0, 19.1.0, 19.1.1, 19.2.0
+ * - react-server-dom-webpack: 19.0.0, 19.1.0, 19.1.1, 19.2.0
+ * - react-server-dom-parcel: 19.0.0, 19.1.0, 19.1.1, 19.2.0
+ * - react-server-dom-turbopack: 19.0.0, 19.1.0, 19.1.1, 19.2.0
+ *
+ * Note: This CVE affects React Server Components across all bundlers.
+ */
+
+const { cleanVersion } = require('../utils/version');
+
+// React packages vulnerable to this CVE
+const REACT_VULNERABLE_VERSIONS = [
+  '19.0.0', '19.1.0', '19.1.1', '19.2.0',
+];
+
+// React package patches (must patch beyond CVE-2025-55184/55183 vulnerabilities)
+const REACT_PATCHES = {
+  '19.0.0': '19.0.2',
+  '19.1.0': '19.1.3',
+  '19.1.1': '19.1.3',
+  '19.2.0': '19.2.2',
+};
+
+// React Server Components packages affected by this CVE
+const REACT_RSC_PACKAGES = [
+  'react-server-dom-webpack',
+  'react-server-dom-parcel',
+  'react-server-dom-turbopack',
+];
+
+// All packages affected by this CVE
+const REACT_PACKAGES = ['react', 'react-dom', ...REACT_RSC_PACKAGES];
+
+function isReactVulnerable(version) {
+  const cleaned = cleanVersion(version);
+  return REACT_VULNERABLE_VERSIONS.includes(cleaned);
+}
+
+function getReactPatchedVersion(version) {
+  const cleaned = cleanVersion(version);
+  return REACT_PATCHES[cleaned] || null;
+}
+
+module.exports = {
+  // Metadata
+  id: 'CVE-2025-55182',
+  name: 'React Server Components RCE',
+  severity: 'critical',
+  description: 'Pre-authentication remote code execution via unsafe deserialization in React Server Components',
+
+  // Packages this CVE applies to
+  packages: REACT_PACKAGES,
+
+  // Check if a specific package@version is vulnerable
+  isVulnerable(packageName, version) {
+    if (REACT_PACKAGES.includes(packageName)) {
+      return { vulnerable: isReactVulnerable(version), reason: 'react-version-check' };
+    }
+    return { vulnerable: false, reason: 'not-applicable' };
+  },
+
+  // Get the minimum version that fixes this CVE
+  getPatchedVersion(packageName, version) {
+    if (REACT_PACKAGES.includes(packageName)) {
+      const patched = getReactPatchedVersion(version);
+      return patched ? { recommended: patched } : null;
+    }
+    return null;
+  },
+};

lib/vulnerabilities/cve-2025-55183.js

@@ -1,18 +1,14 @@
 /**
  * CVE-2025-55183: Source Code Exposure in React Server Components
  * @see https://vercel.com/kb/bulletin/cve-2025-55184-and-cve-2025-55183
+ * @see https://www.facebook.com/security/advisories/cve-2025-55183
+ * @see https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  *
- * Affected versions:
- * - Next.js 15.0.x before 15.0.6
- * - Next.js 15.1.x before 15.1.10
- * - Next.js 15.2.x before 15.2.7
- * - Next.js 15.3.x before 15.3.7
- * - Next.js 15.4.x before 15.4.9
- * - Next.js 15.5.x before 15.5.8
- * - Next.js 15.x canary before 15.6.0-canary.59
- * - Next.js 16.0.x before 16.0.9
- * - Next.js 16.x canary before 16.1.0-canary.18
- * - React RSC packages 19.0.0 through 19.2.1
+ * Affected packages:
+ * - next: various 15.x/16.x versions (App Router only)
+ * - react-server-dom-webpack: 19.0.0 through 19.2.1
+ * - react-server-dom-parcel: 19.0.0 through 19.2.1
+ * - react-server-dom-turbopack: 19.0.0 through 19.2.1
  *
  * Note: Next.js 13.x and 14.x are NOT affected by this CVE.
  * Note: Next.js Pages Router applications are not affected.

lib/vulnerabilities/cve-2025-55184.js

@@ -1,20 +1,14 @@
 /**
  * CVE-2025-55184: Denial of Service in React Server Components
  * @see https://vercel.com/kb/bulletin/cve-2025-55184-and-cve-2025-55183
+ * @see https://www.facebook.com/security/advisories/cve-2025-55184
+ * @see https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  *
- * Affected versions:
- * - Next.js 13.x (>= 13.3) - upgrade to 14.2.34
- * - Next.js 14.x before 14.2.34
- * - Next.js 15.0.x before 15.0.6
- * - Next.js 15.1.x before 15.1.10
- * - Next.js 15.2.x before 15.2.7
- * - Next.js 15.3.x before 15.3.7
- * - Next.js 15.4.x before 15.4.9
- * - Next.js 15.5.x before 15.5.8
- * - Next.js 15.x canary before 15.6.0-canary.59
- * - Next.js 16.0.x before 16.0.9
- * - Next.js 16.x canary before 16.1.0-canary.18
- * - React RSC packages 19.0.0 through 19.2.1
+ * Affected packages:
+ * - next: 13.x (>= 13.3), 14.x, 15.x, 16.x versions (App Router only)
+ * - react-server-dom-webpack: 19.0.0 through 19.2.1
+ * - react-server-dom-parcel: 19.0.0 through 19.2.1
+ * - react-server-dom-turbopack: 19.0.0 through 19.2.1
  *
  * Note: Next.js Pages Router applications are not affected.
  */

lib/vulnerabilities/cve-2025-66478.js

@@ -1,10 +1,12 @@
 /**
- * CVE-2025-66478: React2Shell
+ * CVE-2025-66478: React2Shell (Next.js)
  * @see https://vercel.com/kb/bulletin/react2shell
+ * @see https://nextjs.org/blog/CVE-2025-66478
  *
  * Affected packages:
  * - next: 14.3.0-canary.77 through various 15.x/16.x versions
- * - react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack: specific 19.x versions
+ *
+ * Note: Next.js Pages Router applications are not affected.
  */
 
 const { parseVersion, compareVersions, cleanVersion } = require('../utils/version');

lib/vulnerabilities/cve-2025-67779.js

@@ -1,26 +1,21 @@
 /**
- * CVE-2025-67779: Denial of Service with Server Components - Incomplete Fix Follow-Up
+ * CVE-2025-67779: DoS Incomplete Fix Follow-Up
  * @see https://github.com/advisories/GHSA-5j59-xgg2-r9c4
  * @see https://www.cve.org/CVERecord?id=CVE-2025-67779
+ * @see https://www.facebook.com/security/advisories/cve-2025-67779
+ * @see https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  *
- *
- * Affected versions:
- * - Next.js 13.x (>= 13.3) - upgrade to 14.2.35
- * - Next.js 14.x before 14.2.35
- * - Next.js 15.0.x before 15.0.7
- * - Next.js 15.1.x before 15.1.11
- * - Next.js 15.2.x before 15.2.8
- * - Next.js 15.3.x before 15.3.8
- * - Next.js 15.4.x before 15.4.10
- * - Next.js 15.5.x before 15.5.9
- * - Next.js 15.x canary before 15.6.0-canary.60
- * - Next.js 16.0.x before 16.0.10
- * - Next.js 16.x canary before 16.1.0-canary.19
+ * Affected packages:
+ * - next: 13.x (>= 13.3), 14.x, 15.x, 16.x versions (App Router only)
+ * - react-server-dom-webpack: 19.0.2, 19.1.3, 19.2.2
+ * - react-server-dom-parcel: 19.0.2, 19.1.3, 19.2.2
+ * - react-server-dom-turbopack: 19.0.2, 19.1.3, 19.2.2
  *
  * Note: Next.js Pages Router applications are not affected.
+ * Note: Incomplete fix follow-up for CVE-2025-55184.
  */
 
-const { parseVersion, compareVersions } = require('../utils/version');
+const { parseVersion, compareVersions, cleanVersion } = require('../utils/version');
 
 // Patched versions for Next.js 15.x and 16.x stable releases
 const NEXT_PATCHED_VERSIONS = {
@@ -39,6 +34,24 @@ const NEXT_CANARY_PATCHES = {
   16: '16.1.0-canary.19',
 };
 
+// React Server Components vulnerable versions (19.0.2, 19.1.3, 19.2.2)
+const REACT_RSC_VULNERABLE_VERSIONS = [
+  '19.0.2', '19.1.3', '19.2.2',
+];
+
+// React Server Components patches
+const REACT_RSC_PATCHES = {
+  '19.0.2': '19.0.3',
+  '19.1.3': '19.1.4',
+  '19.2.2': '19.2.3',
+};
+
+const REACT_RSC_PACKAGES = [
+  'react-server-dom-webpack',
+  'react-server-dom-parcel',
+  'react-server-dom-turbopack',
+];
+
 function isNextVulnerable(version) {
   const parsed = parseVersion(version);
   if (!parsed) return { vulnerable: false, reason: 'unparseable' };
@@ -125,6 +138,16 @@ function isNextVulnerable(version) {
   return { vulnerable: false, reason: 'future-version' };
 }
 
+function isReactRscVulnerable(version) {
+  const cleaned = cleanVersion(version);
+  return REACT_RSC_VULNERABLE_VERSIONS.includes(cleaned);
+}
+
+function getReactRscPatchedVersion(version) {
+  const cleaned = cleanVersion(version);
+  return REACT_RSC_PATCHES[cleaned] || null;
+}
+
 function getNextPatchedVersion(version) {
   const parsed = parseVersion(version);
   if (!parsed) return null;
@@ -184,19 +207,26 @@ module.exports = {
   name: 'DoS Incomplete Fix Follow-Up',
   severity: 'high',
   description: 'Incomplete fix for CVE-2025-55184 DoS via malicious RSC payload causing infinite loop',
-  packages: ['next'],
+  packages: ['next', ...REACT_RSC_PACKAGES],
 
   isVulnerable(packageName, version) {
     if (packageName === 'next') {
       return isNextVulnerable(version);
     }
+    if (REACT_RSC_PACKAGES.includes(packageName)) {
+      return { vulnerable: isReactRscVulnerable(version), reason: 'rsc-version-check' };
+    }
     return { vulnerable: false, reason: 'not-applicable' };
   },
 
   getPatchedVersion(packageName, version) {
     if (packageName === 'next') {
       return getNextPatchedVersion(version);
     }
+    if (REACT_RSC_PACKAGES.includes(packageName)) {
+      const patched = getReactRscPatchedVersion(version);
+      return patched ? { recommended: patched } : null;
+    }
     return null;
   },
 };

lib/vulnerabilities/index.js

@@ -4,10 +4,11 @@
  */
 
 const vulnerabilities = [
-  require('./cve-2025-66478'),  // React2Shell - RCE (critical)
-  require('./cve-2025-55184'),  // DoS (high)
-  require('./cve-2025-55183'),  // Source Code Exposure (medium)
-  require('./cve-2025-67779'),  // DoS Incomplete Fix Follow-Up (high)
+  require('./cve-2025-66478'),  // React2Shell: RCE in Next.js App Router (critical)
+  require('./cve-2025-55184'),  // DoS: Infinite loops in React Server Components (high)
+  require('./cve-2025-55183'),  // Source Code Exposure: Server Functions leak source (medium)
+  require('./cve-2025-55182'),  // RCE: Unsafe deserialization in React Server Components (critical)
+  require('./cve-2025-67779'),  // DoS Follow-up: Incomplete fix for CVE-2025-55184 (high)
 ];
 
 // Get all unique package names across all vulnerabilities

package.json

@@ -5,7 +5,7 @@
     "type": "git",
     "url": "https://github.com/vercel-labs/fix-react2shell-next.git"
   },
-  "description": "Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command",
+  "description": "Fix multiple React/Next.js security vulnerabilities in Next.js apps with one command",
   "main": "index.js",
   "bin": {
     "fix-react2shell-next": "./bin/cli.js"