Fix React Server Components RCE vulnerability#499
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@CodeRabbit review |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Pull request overview
Updates the project’s Next.js-related dependencies in package.json to versions intended to remediate the reported React Server Components RCE vulnerability affecting Next.js deployments.
Changes:
- Bump
nextfrom^15.1.2to15.1.9 - Bump
eslint-config-nextfrom^15.1.2to15.1.9
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
package.json
Outdated
| "clsx": "^2.1.0", | ||
| "lucide-react": "^0.441.0", | ||
| "next": "^15.1.2", | ||
| "next": "15.1.9", |
There was a problem hiding this comment.
next is now pinned to an exact version while the rest of the dependencies use semver ranges. Pinning can prevent automatically receiving future patch/security releases; consider using a range (e.g., ^15.1.9) and relying on the lockfile for reproducibility unless you have a specific reason to hard-pin.
| "next": "15.1.9", | |
| "next": "^15.1.9", |
There was a problem hiding this comment.
This comment is no longer applicable. After rebasing onto main, this PR produces an empty diff — the project has migrated from Next.js to Vite, so next is no longer a dependency. The vulnerability CVE-2025-55182 / CVE-2025-66478 no longer affects this project.
package.json
Outdated
| "@types/react-syntax-highlighter": "^15.5.13", | ||
| "eslint": "^9", | ||
| "eslint-config-next": "^15.1.2", | ||
| "eslint-config-next": "15.1.9", |
There was a problem hiding this comment.
Same as next, eslint-config-next is pinned to an exact version whereas other devDependencies use semver ranges. Consider switching to a range (e.g., ^15.1.9) so patch-level security fixes can be picked up without editing package.json each time.
| "eslint-config-next": "15.1.9", | |
| "eslint-config-next": "^15.1.9", |
There was a problem hiding this comment.
This comment is no longer applicable. After rebasing onto main, this PR produces an empty diff — the project has migrated from Next.js to Vite, so eslint-config-next is no longer a dependency.
package.json
Outdated
| "next": "15.1.9", | ||
| "playwright": "^1.49.1", | ||
| "react": "^18", | ||
| "react-dom": "^18", |
There was a problem hiding this comment.
PR description says this upgrades "React and Next.js packages", but this diff only changes next / eslint-config-next while leaving react and react-dom ranges unchanged. Either update the PR description to reflect what's actually changing, or pin/raise react and react-dom to the known-patched minimum versions for this advisory if they are also in scope.
There was a problem hiding this comment.
This observation is now moot. After rebasing onto main, this PR produces an empty diff — the project has fully migrated from Next.js to Vite, removing both next and eslint-config-next from the dependency tree. The React Server Components RCE vulnerability (CVE-2025-55182 / CVE-2025-66478) no longer affects this project.
gkorland
force-pushed
the
vercel/react-flight-nextjs-rce-vulner-tuv38x
branch
from
7829b57 to
4e3c11c
Compare
Agent Review SummaryRebase ResultAfter rebasing onto
Vulnerability AssessmentThe React Server Components RCE vulnerability (CVE-2025-55182 / CVE-2025-66478) no longer affects this project because Next.js has been completely removed from the dependency tree. Review Comments AddressedAll 3 Copilot review comments were replied to, explaining the migration context:
RecommendationThis PR should be closed as the underlying vulnerability no longer applies. No code changes are needed. |
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project code-graph. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
React Advisory: CVE-2025-55182
Next.js Advisory: CVE-2025-66478
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com