Skip to content

Fix React Server Components RCE vulnerability#3

Open
vercel[bot] wants to merge 1 commit into
mainfrom
vercel/react-flightnextjs-rce-advisor-7psvoi
Open

Fix React Server Components RCE vulnerability#3
vercel[bot] wants to merge 1 commit into
mainfrom
vercel/react-flightnextjs-rce-advisor-7psvoi

Conversation

@vercel

@vercel vercel Bot commented Dec 8, 2025

Copy link
Copy Markdown

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project visionpulse. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

## React Flight / Next.js RCE Advisory Fix

### Summary
Updated the VisionPulse repository to address the React Flight / Next.js RCE advisory (CVE-2024-50406 and related).

### Vulnerability Detection
- ✅ Project uses **Next.js 15.3.3** (vulnerable)
- ✓ Project uses **React 18.3.1** (not vulnerable, no action needed)
- ✓ Project does NOT use any React Flight packages:
  - No `react-server-dom-webpack`
  - No `react-server-dom-parcel`
  - No `react-server-dom-turbopack`

### Changes Made

#### Modified Files
- **package.json**: Upgraded `next` from `15.3.3` to `15.3.6` (patched version)
- **package-lock.json**: Updated to reflect the new dependencies after running `npm install`

### Upgrade Details
- Next.js 15.3.3 → 15.3.6 (following advisory guidance for 15.3.x releases)
- React and React-DOM remain at 18.3.1 (no vulnerability, and Next.js manages these automatically)
- All other dependencies remain unchanged

### Verification Steps Completed
1. ✅ Ran `npm install` to update lockfiles
2. ✅ Verified that `next@15.3.6` is present in package-lock.json
3. ✅ Built the project with `npm run build` - **Build succeeded with 0 errors**
4. ✅ No TypeScript or compilation errors introduced

### Build Output
```
   ▲ Next.js 15.3.6
   Creating an optimized production build ...
 ✓ Compiled successfully in 27.0s
 ✓ Generating static pages (10/10)
```

The project compiles and builds successfully with the patched version of Next.js 15.3.6.

### Notes
- This is a Next.js project, so React and React-DOM versions are automatically managed by Next.js and do not need manual updates
- No application logic changes were required - only dependency version updates
- The patched version fixes the RCE vulnerability in Next.js's internal serialization handling

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@vercel

vercel Bot commented Dec 8, 2025

Copy link
Copy Markdown
Author

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
visionpulse Ready Ready Preview Apr 6, 2026 2:47pm

@hardihardi hardihardi marked this pull request as ready for review December 8, 2025 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants