Fix React Server Components CVE vulnerabilities#68
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR is an automated security patch intended to remediate the React Server Components (RSC) deserialization RCE vulnerability by upgrading affected Next.js/React dependencies in badgers-web.
Changes:
- Bump
nextfrom15.0.3to15.0.7inbadgers-web/package.json.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "eslint": "8.57.0", | ||
| "eslint-config-next": "15.0.3", | ||
| "next": "15.0.3", | ||
| "next": "15.0.7", |
There was a problem hiding this comment.
next was bumped in package.json, but badgers-web/yarn.lock still resolves next@npm:15.0.3. Please regenerate and commit the lockfile update (e.g., run yarn install in badgers-web) so installs/CI are reproducible (and will pass if using yarn install --immutable).
| "next": "15.0.7", | |
| "next": "15.0.3", |
| "next": "15.0.7", | ||
| "postcss": "8.4.38", | ||
| "react": "19.0.0-rc-66855b96-20241106", | ||
| "react-dom": "19.0.0-rc-66855b96-20241106", |
There was a problem hiding this comment.
PR description says the automated fix upgrades the affected React and Next.js packages, but this diff only bumps next. Please confirm whether react/react-dom also need to be upgraded to patched builds for the referenced RSC CVEs, and update them here if so.
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project spacebadgers. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com