Skip to content

Fix React Server Components RCE vulnerability #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
vercel wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Fix React Server Components RCE vulnerability #1

vercel wants to merge 1 commit into from

Conversation

@vercel
Copy link

@vercel vercel bot commented Dec 8, 2025

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project codebase. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

@vercel
Update React Flight/Next.js RCE vulnerability
851a546 
# React Flight / Next.js RCE Advisory Fix

## Summary
Successfully patched the React Flight / Next.js RCE advisory (CVE-2024-50617) by upgrading Next.js to a secure version.

## Vulnerability Assessment
- **Status**: Project IS AFFECTED
- **Reason**: Uses Next.js 16.0.3 (vulnerable version)
- **React Flight packages**: NOT used (no `react-server-dom-*` packages detected)

## Changes Made

### 1. Updated Dependencies
- **File**: `package.json`
- **Change**: Upgraded `next` from `16.0.3` to `16.0.7`
  - This is the patched version for Next.js 16.x as specified in the advisory

### 2. Updated Lockfile
- **File**: `pnpm-lock.yaml`
- **Status**: Automatically updated by `pnpm install`
- **Verification**: Confirmed `next@16.0.7` is now in the lockfile

### 3. Build Verification
- ✅ `npm run build` completed successfully
- ✅ All 425 static pages generated without errors
- ✅ No dependency-related build failures
- ✅ React versions (19.2.0) were NOT modified (as per advisory - Next.js automatically handles correct patched React versions)

## Implementation Details

Following the advisory guidance:
1. Detected Next.js usage in `package.json`
2. No React Flight packages (`react-server-dom-webpack`, `react-server-dom-parcel`, `react-server-dom-turbopack`) found
3. Applied Next.js patch upgrade rule: 16.x → 16.0.7
4. Did NOT manually upgrade React or React DOM (Next.js handles this automatically)
5. Installed dependencies with `pnpm install` to update lockfile
6. Verified build succeeds

## Files Modified
- `package.json`: Updated Next.js version
- `pnpm-lock.yaml`: Updated lockfile with new dependency tree

## Testing
- Build completed successfully with no errors
- All routes prerendered correctly
- No broken dependencies or peer dependency conflicts (next-auth beta warning is pre-existing and not related to this fix)

## Result
The project is now protected against the React Flight / Next.js RCE advisory by using the patched Next.js version 16.0.7.

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@vercel
Copy link
Author

vercel bot commented Dec 8, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
codebase Ready Ready Preview Comment Dec 8, 2025 11:56am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants