website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon swc-project

Fix React Server Components CVE vulnerabilities

Open vercel[bot] opened this issue 2 months ago • 4 comments

[!IMPORTANT] This is an automatic PR generated by Vercel to help you patch known vulnerabilities related to CVE-2025-55182 (React2Shell), CVE-2025-55184 and CVE-2025-55183. We can't guarantee the PR is comprehensive, and it may contain mistakes.

Not all projects are affected by all issues, but patched versions are required to ensure full remediation.

Vercel has deployed WAF mitigations globally to help protect your application, but upgrading remains required for complete protection.

This automated pull request updates your React, Next.js, and related Server Components packages to versions that fix all currently known React Server Components vulnerabilities, including the two newly discovered issues.

See our Security Bulletins for more information and reach out to [email protected] with any questions.

Fixes VULN-2954

vercel[bot] avatar Dec 11 '25 22:12 vercel[bot]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
plugins Ready Ready Preview Comment Dec 11, 2025 10:03pm
website Ready Ready Preview Comment Dec 11, 2025 10:03pm

vercel[bot] avatar Dec 11 '25 22:12 vercel[bot]

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Dec 11 '25 22:12 CLAassistant

Pull Request Review: React Server Components CVE Security Patch

Summary

This automated PR updates Next.js from 15.4.8 to 15.4.9 to address critical React Server Components vulnerabilities (CVE-2025-55182, CVE-2025-55184, CVE-2025-55183). The changes affect both workspace apps: apps/plugins and apps/website.

Code Quality & Best Practices

✅ Positive Aspects

  1. Minimal Surface Area: The PR focuses exclusively on dependency updates - no code changes, reducing risk of introducing bugs
  2. Consistent Updates: Both workspace packages are updated to the same Next.js version (15.4.9), maintaining consistency
  3. Lock File Management: The pnpm-lock.yaml updates are comprehensive and properly regenerated
  4. Formatting Changes: Lock file formatting changes (quote style normalization) are cosmetic and don't affect functionality

⚠️ Observations

  1. Massive Lock File Changes: 6,711 deletions and 3,215 additions in pnpm-lock.yaml - Most changes are quote style normalization, typical for automated dependency updates
  2. Lock File Format Version: No change to lockfileVersion (remains 6.0), which is good for stability

Potential Bugs or Issues

⚠️ Testing Required

  1. No Breaking Changes Expected: Patch version bump (15.4.8 → 15.4.9) should be backward compatible per semver
  2. Dependency Tree Changes: The lock file shows extensive transitive dependency updates that should be validated

🔍 Recommended Validation

Before merging, verify:

  • pnpm install
  • Build both apps: pnpm --filter swc-plugins build && pnpm --filter swc-site build
  • Test Server Components rendering, Server Actions, Client-Server boundaries, middleware, and dynamic routes

Security Concerns

✅ Critical Security Improvements

  1. CVE Remediation: Addresses three critical CVEs including CVE-2025-55182 (React2Shell) - a high severity RCE vulnerability
  2. Defense in Depth: Vercel has deployed WAF mitigations, but upgrading is still required for complete protection

🔒 Post-Merge Security Checklist

  • Monitor runtime logs for RSC-related errors
  • Review Vercel deployment logs for warnings
  • Check Vercel Security Bulletins for updates
  • Verify no degradation in security headers or CSP

Performance Considerations

✅ Expected Performance Impact

  1. Patch Version: Unlikely to have performance regressions
  2. Security Fixes: May include optimizations alongside security patches
  3. Bundle Size: No significant bundle size changes expected

Recommend comparing build times and bundle sizes before/after merge.

Test Coverage

⚠️ Testing Gaps

  1. No Test Changes: This PR contains only dependency updates
  2. Integration Tests: Should verify Server Components still work correctly
  3. E2E Tests: If available, run full regression suite

📋 Recommended Test Strategy

Manual testing: Server Components rendering, Server Actions, client/server boundaries, dynamic imports, Suspense boundaries, middleware, API routes

Automated: Run existing tests, type checking (tsc --noEmit), and linting

Overall Recommendation

APPROVE with conditions

Strengths:

  • Addresses critical security vulnerabilities
  • Minimal change scope (dependency update only)
  • Follows semver (patch version)
  • Both workspace packages updated consistently

Conditions before merge:

  1. Run full build on both apps
  2. Manual smoke testing of key RSC features
  3. Review deployment logs after merge
  4. Monitor production for 24-48 hours post-deploy

Merge Strategy: Merge during low-traffic period if possible, have rollback plan ready, monitor error tracking closely after deploy

Additional Notes

  • Vercel Contact: [email protected]
  • PR Automation: Vercel bot-generated PR
  • Vulnerability Reference: VULN-2954

Summary

This is a critical security update that should be merged as soon as possible after basic validation. The changes are minimal and focused, reducing risk while addressing serious vulnerabilities.

claude[bot] avatar Dec 11 '25 22:12 claude[bot]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednext@​15.4.8 ⏵ 15.4.994 +1110091 +198 +170

View full report

socket-security[bot] avatar Dec 11 '25 22:12 socket-security[bot]