Skip to content

fix: React and Next fixes for CVE-2025-55184 and CVE-2025-55183 #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ph3t wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: React and Next fixes for CVE-2025-55184 and CVE-2025-55183 #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions apps/web/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@
"class-variance-authority": "^0.7.1",
"clsx": "^2.1.1",
"lucide-react": "^0.487.0",
"next": "^15.3.6",
"next": "^15.3.8",
Copy link

@coderabbitai coderabbitai bot Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

CVE-2025-55182 React vulnerability CVSS 10.0

💡 Result:

Short summary — CVE-2025-55182 (aka "React2Shell")

  • What it is: a pre-authentication remote‑code‑execution (RCE) in React Server Components due to unsafe deserialization of Server Function payloads. CVSS base score: 10.0 (critical). [1][2][3]
  • Affected packages/versions: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack in 19.0, 19.1.0, 19.1.1, 19.2.0 (also affects downstream frameworks like Next.js when using RSC/App Router). [1][3][4]
  • Patched versions: upgrade to 19.0.1, 19.1.2, or 19.2.1 (and apply the Next.js patched releases listed by vendors). Apply vendor advisories for exact versions. [1][3]
  • Exploitation: public exploit code and active exploitation observed soon after disclosure; multiple threat actors reported using the flaw. Prioritize patching immediately. [3][5][4]
  • Mitigation steps: patch affected React/Next.js packages immediately; if patching is not immediately possible, block/unexpose Server Function endpoints and follow vendor mitigations/incident guidance. Verify deployments do not use vulnerable RSC packages. [1][3][4]

Sources

  1. React Security advisory / blog post (React team).
  2. NVD entry for CVE-2025-55182.
  3. Datadog Security Labs analysis (technical details, CVSS=10.0).
  4. CveDetails / CISA listing (affected versions, EPSS/mitigation notes).
  5. Reporting on active exploitation (industry news).

🌐 Web query:

React 19.0.3 security fixes release notes

💡 Result:

There is no React 19.0.3 release listed in the official changelogs or release history. The recent security notes for React 19 concern a critical RCE in React Server Components (CVE-2025-55182) disclosed Dec 3, 2025; fixes were published in react-server-dom packages as 19.0.1, 19.1.2, and 19.2.1 (React team recommendation: upgrade immediately). Follow‑up DoS and source‑code‑exposure issues were disclosed Dec 11, 2025 and React recommended upgrading again. [1][2][3]

Sources:

  • React blog — Critical Security Vulnerability in React Server Components (Dec 3, 2025). Lists affected packages and fixed versions 19.0.1, 19.1.2, 19.2.1. [1]
  • React blog — Denial of Service and Source Code Exposure in React Server Components (Dec 11, 2025). [2]
  • React 19.0 release history / changelog (no 19.0.3 entry). [3]

If you want, I can fetch the exact release/changelog entries and paste the full release-note text for the fixed package versions.

🌐 Web query:

Next.js 15.3.8 security fixes changelog

💡 Result:

Do you mean the official Next.js release v15.3.8? I can fetch the v15.3.8 changelog and security fixes from Next.js/Vercel and GitHub — shall I look that up now?

🌐 Web query:

CVE-2025-55184 CVE-2025-55183 React security

💡 Result:

Summary — React Server Components vulnerabilities

  • CVE-2025-55183: an information‑disclosure bug in React Server Components (react-server-dom-webpack / -parcel / -turbopack). A crafted HTTP request to a Server Function can return the source code of Server Functions (affects listed 19.x releases). [1]

  • CVE-2025-55184: a pre‑authentication denial‑of‑service via unsafe deserialization of Server Function request payloads that can cause an infinite loop and hang the server process (affects the same react-server-dom packages / 19.x releases). [2]

Mitigation / guidance

  • Apply vendor patches or upgraded React Server Components releases as provided by the React team (see React security advisory). If you cannot patch immediately, deploy WAF/virtual‑patch rules — several providers (e.g., Fastly) have published blocking rules for both CVEs. [3]

Sources
[1] NVD entry — CVE-2025-55183.
[2] NVD entry — CVE-2025-55184.
[3] Fastly virtual patches for CVE-2025-55183 and CVE-2025-55184.

🏁 Script executed:

#!/bin/bash
# Check if React 19.0.3 exists in npm registry
npm view [email protected] 2>&1 | head -20

Repository: happyrobot-ai/frontend-interview

Length of output: 626

🏁 Script executed:

#!/bin/bash
# Check Next.js 15.3.8 details
npm view [email protected] 2>&1 | head -20

Repository: happyrobot-ai/frontend-interview

Length of output: 595

🏁 Script executed:

#!/bin/bash
# Look at the current package.json to see what versions are being updated FROM
if [ -f "apps/web/package.json" ]; then
  cat -n "apps/web/package.json" | grep -E "(react|next)" | head -20
fi

Repository: happyrobot-ai/frontend-interview

Length of output: 620

🏁 Script executed:

#!/bin/bash
# Check git diff to see what versions changed
cd apps/web && git diff HEAD -- package.json 2>&1 | head -50

Repository: happyrobot-ai/frontend-interview

Length of output: 58

🌐 Web query:

React 19.0.3 release notes security fixes changelog

💡 Result:

Short answer: there is no official React 19.0.3 release. The React releases/changelog and GitHub releases list shows 19.0.0 → 19.0.1 → 19.0.2 (and later 19.1.x / 19.2.x), but no 19.0.3 tag. See the React GitHub releases page. [1]

If you were asking about security fixes in the React 19 line: the recent critical RSC (React Server Components) RCE was disclosed as CVE-2025-55182 (fixed in 19.0.1 / 19.1.2 / 19.2.1), and follow‑up DoS/source‑exposure issues were disclosed on Dec 11, 2025. See the React security posts for the changelog/details. [2][3]

Sources:

  • React releases (GitHub releases page — shows 19.0.0/19.0.1/19.0.2 and later tags; no 19.0.3 tag). [1]
  • React blog — "Critical Security Vulnerability in React Server Components" (CVE-2025-55182; fixes and fixed versions). [2]
  • React blog — follow-up "Denial of Service and Source Code Exposure in React Server Components" (additional CVEs and timeline). [3]

🌐 Web query:

Next.js 15.3.8 release notes security changelog

💡 Result:

Do you want a short summary or the direct links? I can summarize the 15.3.x security fixes (RSC / React CVEs, cache-poisoning fixes) and link the Next.js security advisory and the CVE advisories.

🏁 Script executed:

#!/bin/bash
# Check React 19.0.3 more thoroughly - check if it's yanked or pre-release
npm view [email protected] --json 2>&1 | jq '.version, .dist.tarball, .deprecated' 2>&1 || npm info [email protected] 2>&1

Repository: happyrobot-ai/frontend-interview

Length of output: 143

🏁 Script executed:

#!/bin/bash
# Check git log for package.json changes
git log --oneline apps/web/package.json 2>&1 | head -10

Repository: happyrobot-ai/frontend-interview

Length of output: 118

🌐 Web query:

React 19.0.3 npm package official release Meta React team

💡 Result:

Short answer: There is no official stable release of the core react package published as [email protected] by the Meta/React team. The npm registry shows [email protected] (and various canary builds) as published versions, while @types/react has a 19.0.3 types package. [1][2]

Sources:

  • react package versions on npm (shows 19.0.0 and canary builds; no stable 19.0.3). [1]
  • @types/react on npm (published version 19.0.3). [2]

🌐 Web query:

Next.js 15.3.8 CVE-2025-55182 CVE-2025-55183 CVE-2025-55184 security patch

💡 Result:

Short answer: These vulnerabilities (CVE-2025-55182, CVE-2025-55183, CVE-2025-55184) affect Next.js App Router via React Server Components and must be fixed by upgrading — Next.js published a security update on Dec 11, 2025 that lists the patched releases. For 15.3.x you should upgrade to 15.3.7 (not 15.3.8). [1][2]

What to do now

  • Upgrade the package immediately (example for 15.3.x):
    npm install [email protected]
  • There is no workaround; upgrading to a patched release is required. [1]

Key references

  • Next.js security advisory (Dec 11, 2025) — affected versions and fixed releases (15.3.7 for 15.3.x). [1]
  • Snyk / security write-ups summarizing CVE-2025-55182 (React RSC RCE) and downstream Next.js impact. [2]

If you want, I can:

  • check your project’s installed Next.js version and recommend the exact upgrade command, or
  • scan a repo/deployment for exposure indicators.

React 19.0.3 does not exist as an official release; use a valid patched version instead.

React 19.0.3 is not published by the Meta React team. The actual patched versions for CVE-2025-55182 (critical RCE) and the follow-up CVEs (CVE-2025-55183, CVE-2025-55184) are 19.0.1, 19.1.2, or 19.2.1 depending on your target minor version. Update react and react-dom to one of these official releases.

Next.js 15.3.7 is the official patched version for 15.3.x per the Next.js security advisory (Dec 11, 2025); the PR specifies 15.3.8. Verify that 15.3.8 is intentional and contains all necessary security fixes, or downgrade to 15.3.7 if it is the recommended patch.

If this application uses React Server Components (RSC) with Next.js App Router, these updates are critical and must be deployed immediately. Non-RSC applications are not affected by these vulnerabilities.

🤖 Prompt for AI Agents 
In apps/web/package.json around line 17, the PR pins next to "15.3.8" and
references an invalid React release (19.0.3); replace react and react-dom with
an official patched release (choose 19.0.1, 19.1.2, or 19.2.1 based on your
target minor line) and either change Next.js to the official patched 15.3.7 or
confirm 15.3.8 intentionally contains the security fixes before keeping it;
update package.json entries accordingly, run npm/yarn install to update
lockfile, and ensure the app is redeployed immediately if using Next.js App
Router / React Server Components.

"next-themes": "^0.4.6",
"nuqs": "^2.4.3",
"radix-ui": "^1.4.2",
"react": "^19.0.0",
"react-dom": "^19.0.0",
"react": "^19.0.3",
"react-dom": "^19.0.3",
"sonner": "^2.0.5",
"tailwind-merge": "^3.3.1",
"tw-animate-css": "^1.3.4",
Expand Down
6 changes: 3 additions & 3 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.