Fix React Server Components CVE vulnerabilities#98
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "linkedom": "^0.18.5", | ||
| "lucide-react": "^0.453.0", | ||
| "next": "15.0.6", | ||
| "next": "15.0.7", |
There was a problem hiding this comment.
Bug: Security fix claims to update React but doesn't
The PR description states it "updates your React, Next.js, and related Server Components packages" to fix CVE-2025-55182 (React2Shell) and related vulnerabilities. However, only next is updated from 15.0.6 to 15.0.7. The react and react-dom packages remain at the old release candidate version 19.0.0-rc-cd22717c-20241013 from October 2024. If React Server Components vulnerabilities require patched React packages as well, this fix may be incomplete and leave the application vulnerable.
Additional Locations (1)
1 participant
Important
This is an automatic PR generated by Vercel to help you patch known vulnerabilities related to CVE-2025-55182 (React2Shell), CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. We can't guarantee the PR is comprehensive, and it may contain mistakes.
Not all projects are affected by all issues, but patched versions are required to ensure full remediation.
Vercel has deployed WAF mitigations globally to help protect your application, but upgrading remains required for complete protection.
This automated pull request updates your React, Next.js, and related Server Components packages to versions that fix all currently known React Server Components vulnerabilities, including the two newly discovered issues.
See our Security Bulletins for more information and reach out to security@vercel.com with any questions.
Fixes VULN-3315
Note
Upgrades Next.js from 15.0.6 to 15.0.7 and refreshes lockfile entries for packages tied to Next.
nextfrom15.0.6to15.0.7inpackage.json.pnpm-lock.yamlto resolvenext@15.0.7and align related entries (@next/env,@vercel/analytics,@vercel/speed-insights,geist, etc.).Written by Cursor Bugbot for commit 90230a1. This will update automatically on new commits. Configure here.