Fix React Server Components CVE vulnerabilities #13

2025-12-27T15:05:03+01:00

vercel[bot] commented

2025-12-27 15:05:03 +01:00

(Migrated from github.com)

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project snupai-site. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
React Advisory: CVE-2025-55182
Next.js Advisory: CVE-2025-66478

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

Note

Dependency update

Upgrades next from ^15.5.7 to 15.5.9 and pins the version to ensure patched release is used

Scope: Only package.json changed; requires reinstall/build.

^{Written by Cursor Bugbot for commit 410dbbc28f. This will update automatically on new commits. Configure here.}

> [!IMPORTANT] > This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our [guidance](https://vercel.link/additional-checks) before merging these changes. A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project [snupai-site](https://vercel.com/snupai/snupai-site). The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol. This issue is tracked under: - GitHub Security Advisory: [GHSA-9qr9-h5gf-34mp](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp) - React Advisory: [CVE-2025-55182](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) - Next.js Advisory: [CVE-2025-66478](https://nextjs.org/blog/CVE-2025-66478) This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue. [More Info](https://vercel.link/cve-2025-55182-automated-pr) | security@vercel.com  --- > [!NOTE] > **Dependency update** > > - Upgrades `next` from `^15.5.7` to `15.5.9` and pins the version to ensure patched release is used > > *Scope:* Only `package.json` changed; requires reinstall/build. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 410dbbc28f5667fa8547a0acc46e86dd956ee1fd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

vercel[bot] commented

2025-12-27 15:05:05 +01:00

(Migrated from github.com)

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
snupai-site	Ready	Preview, Comment	Dec 27, 2025 2:05pm

[vc]: #Px3cFLuCtVRjzKo/HpMud+R33p4GSDGkMuQFCoxnqOg=:eyJpc01vbm9yZXBvIjp0cnVlLCJ0eXBlIjoiZ2l0aHViIiwicHJvamVjdHMiOlt7Im5hbWUiOiJzbnVwYWktc2l0ZSIsImluc3BlY3RvclVybCI6Imh0dHBzOi8vdmVyY2VsLmNvbS9zbnVwYWkvc251cGFpLXNpdGUvQUpLb2d0R1UxZ05xcGRjS1VTNGZHUWYxOEtwOCIsInByZXZpZXdVcmwiOiJzbnVwYWktc2l0ZS1naXQtdmVyY2VsLXJlYWN0LXNlcnZlci1jb21wb25lbnRzLWN2LWYyZTk5ZS1zbnVwYWkudmVyY2VsLmFwcCIsIm5leHRDb21taXRTdGF0dXMiOiJERVBMT1lFRCIsImxpdmVGZWVkYmFjayI6eyJyZXNvbHZlZCI6MCwidW5yZXNvbHZlZCI6MCwidG90YWwiOjAsImxpbmsiOiJzbnVwYWktc2l0ZS1naXQtdmVyY2VsLXJlYWN0LXNlcnZlci1jb21wb25lbnRzLWN2LWYyZTk5ZS1zbnVwYWkudmVyY2VsLmFwcCJ9LCJyb290RGlyZWN0b3J5IjpudWxsfV19 The latest updates on your projects. Learn more about [Vercel for GitHub](https://vercel.link/github-learn-more). | Project | Deployment | Review | Updated (UTC) | | :--- | :----- | :------ | :------ | | [snupai-site](https://vercel.com/snupai/snupai-site) | ![Ready](https://vercel.com/static/status/ready.svg) [Ready](https://vercel.com/snupai/snupai-site/AJKogtGU1gNqpdcKUS4fGQf18Kp8) | [Preview](https://snupai-site-git-vercel-react-server-components-cv-f2e99e-snupai.vercel.app), [Comment](https://vercel.live/open-feedback/snupai-site-git-vercel-react-server-components-cv-f2e99e-snupai.vercel.app?via=pr-comment-feedback-link) | Dec 27, 2025 2:05pm |

cursor[bot] (Migrated from github.com) reviewed

2025-12-27 15:10:10 +01:00

cursor[bot] (Migrated from github.com) left a comment

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

### This PR is being reviewed by Cursor Bugbot <details> <summary>Details</summary> You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle. To receive Bugbot reviews on all of your PRs, visit the [Cursor dashboard](https://www.cursor.com/dashboard?tab=bugbot) to activate Pro and start your 14-day free trial. </details>

package.json

					
				@ -30,3 +30,3 @@

				    "geist": "^1.3.0",

				    "next": "^15.5.7",

				    "next": "15.5.9",

				    "nodemailer": "^7.0.11",

Version caret removed, blocking future patch updates

The next package version changed from ^15.5.7 to 15.5.9, removing the caret (^) prefix. This pins the dependency to exactly version 15.5.9, which is inconsistent with all other dependencies in the file that use caret ranges. This means future security patches (15.5.10, 15.5.11, etc.) won't be automatically included when running package updates. If intentional for security pinning, this is fine, but if it was an automated PR oversight, it could prevent future patch adoption.

### Version caret removed, blocking future patch updates   The `next` package version changed from `^15.5.7` to `15.5.9`, removing the caret (`^`) prefix. This pins the dependency to exactly version 15.5.9, which is inconsistent with all other dependencies in the file that use caret ranges. This means future security patches (15.5.10, 15.5.11, etc.) won't be automatically included when running package updates. If intentional for security pinning, this is fine, but if it was an automated PR oversight, it could prevent future patch adoption.   <a href="https://cursor.com/open?data=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJ1Z2JvdC12MiJ9.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiQlVHQk9UX0ZJWF9JTl9DVVJTT1IiLCJkYXRhIjp7InJlZGlzS2V5IjoiYnVnYm90OjU3ODMwMmI1LWEyOTAtNDZkZS1iZmVjLWY5M2RmYzlmM2I5YiIsImVuY3J5cHRpb25LZXkiOiIwN3c1XzF3R3d3cWFydFVNNVhZanNCMDhuSlgyMU00WjJxV0ctWUc4R1JVIiwiYnJhbmNoIjoidmVyY2VsL3JlYWN0LXNlcnZlci1jb21wb25lbnRzLWN2ZS12dS02aGlkZ2cifSwiaWF0IjoxNzY2ODQ0NjEwLCJleHAiOjE3Njk0MzY2MTB9.j9IHopZAm2gnijU3q3nkkbbieVu9akoRqF8sKYfdRJFlcJM278nSgr1xbqJoXJcqoahb5iTcKRg48Yg-mAV9PGy9wAMaTWVAE0CsDXb-sJRDzgapw7y9d95GOIBcAlxNckWLFJYGN_5W0YDFSRBGwH0DHrFuwOxakNrZNdyeZ4uqGpYshhOJxWT0g7wf-QJryIikX53WDUKgEWB672s3Z3yW-7b_OoYNnQMh2jARCJjkJrlaHvy_MnpjG-BUFTRyaBRkkaXCQw0F3rDZLcE-5Q9SdclY4q_gz1njUpoPp_G9fz-nV69RMv42P4XVutf5NFzxATPtClHrtbtWsW38jA" target="_blank" rel="noopener noreferrer"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/fix-in-cursor-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/fix-in-cursor-light.svg"><img alt="Fix in Cursor" src="https://cursor.com/fix-in-cursor.svg"></picture></a> <a href="https://cursor.com/agents?data=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJ1Z2JvdC12MiJ9.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiQlVHQk9UX0ZJWF9JTl9XRUIiLCJkYXRhIjp7InJlZGlzS2V5IjoiYnVnYm90OjU3ODMwMmI1LWEyOTAtNDZkZS1iZmVjLWY5M2RmYzlmM2I5YiIsImVuY3J5cHRpb25LZXkiOiIwN3c1XzF3R3d3cWFydFVNNVhZanNCMDhuSlgyMU00WjJxV0ctWUc4R1JVIiwiYnJhbmNoIjoidmVyY2VsL3JlYWN0LXNlcnZlci1jb21wb25lbnRzLWN2ZS12dS02aGlkZ2ciLCJyZXBvT3duZXIiOiJTbnVwYWkiLCJyZXBvTmFtZSI6InNudXBhaS1zaXRlIiwicHJOdW1iZXIiOjEzLCJjb21taXRTaGEiOiI0MTBkYmJjMjhmNTY2N2ZhODU0N2EwYWNjNDZlODZkZDk1NmVlMWZkIiwicHJvdmlkZXIiOiJnaXRodWIifSwiaWF0IjoxNzY2ODQ0NjEwLCJleHAiOjE3Njk0MzY2MTB9.y7g8Vr4MAw-N8xt6gFo2RLfwOv3ie2CNkazNfg1dBeswtcMgiNQfkRbpWllR2uvLsEN9bRWK3jxKiG7CSvqD9COauJOYSBya9GGSW_tkJzUg1TwsQolBfB09yf9CuT8wFwGOa9KSYAkD7gDqRYxoaxIQgB2sBKp8tAgox8ZZefblAWPdpDTNVydzp7-1Xcz0ygfsoCShsLn4f29SOhj9SC-Jvo8j0gOgyYBvlp0zAs7Kp8TqO1qsAyiZBslLvW3wTGB8UxXJ3UVTSKBLuGFyGv-h_ZYHRBNjXzL7JFk1vcqp3rOLiw5qm-nMV1jq7rqEoZ3ywHSk-wo7EW4AGjhB7g" target="_blank" rel="noopener noreferrer"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/fix-in-web-dark.svg"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/fix-in-web-light.svg"><img alt="Fix in Web" src="https://cursor.com/fix-in-web.svg"></picture></a>

Sign in to join this conversation.

No reviewers