Fix React Server Components CVE vulnerabilities #8
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This is an automated security update generated by Vercel to patch React Server Components CVE vulnerabilities (CVE-2025-55182, CVE-2025-55184, and CVE-2025-55183). The PR upgrades Next.js from version 16.0.7 to 16.0.9, which includes fixes for all currently known React Server Components vulnerabilities.
Key Changes:
- Updated Next.js from 16.0.7 to 16.0.9
- Updated all Next.js platform-specific SWC binaries to version 16.0.9
- Updated dependent package references in lockfile to reflect the new Next.js version
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| apps/client/package.json | Updated Next.js dependency specifier from 16.0.7 to 16.0.9 |
| pnpm-lock.yaml | Updated Next.js package resolution, all platform-specific SWC binaries, and transitive dependency references to version 16.0.9; also includes incidental semver package updates from 7.7.2 to 7.7.3 in some dependency chains |
The changes in this pull request are clean and consistent. The automated update has correctly:
- Updated the Next.js version specifier in package.json
- Updated all Next.js package resolutions and snapshots in the lockfile
- Updated all platform-specific SWC compiler binaries to the matching version
- Updated all transitive dependency references that depend on Next.js (e.g., @sentry/nextjs, @vercel/analytics, geist)
The incidental semver package version changes (7.7.2 → 7.7.3) are normal side effects of dependency resolution and do not raise any concerns. All changes are properly aligned and there are no inconsistencies in the lockfile.
No issues were found in this security update.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Important
This is an automatic PR generated by Vercel to help you patch known vulnerabilities related to CVE-2025-55182 (React2Shell), CVE-2025-55184 and CVE-2025-55183. We can't guarantee the PR is comprehensive, and it may contain mistakes.
Not all projects are affected by all issues, but patched versions are required to ensure full remediation.
Vercel has deployed WAF mitigations globally to help protect your application, but upgrading remains required for complete protection.
This automated pull request updates your React, Next.js, and related Server Components packages to versions that fix all currently known React Server Components vulnerabilities, including the two newly discovered issues.
See our Security Bulletins for more information and reach out to [email protected] with any questions.