Skip to content

Fix React Server Components RCE vulnerability #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
vercel wants to merge 1 commit into
base: docs/add-cocso-ui.com-docs
Choose a base branch
from
Draft

Fix React Server Components RCE vulnerability #82

vercel wants to merge 1 commit into from

Conversation

@vercel
Copy link

@vercel vercel bot commented Dec 8, 2025

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project cocso-ui. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | [email protected]

@vercel
Update packages for React Flight RCE advisory
027287f 
Addressed React Flight / Next.js RCE Advisory (CVE-2025-21630)

## Analysis
Scanned the monorepo for vulnerable packages:
- Root package.json: No Next.js or React Flight packages
- docs/website/package.json: **AFFECTED** - Contains next@^16.0.6
- docs/storybook/package.json: No Next.js or React Flight packages (Vite-based Storybook)
- ecosystem/baseframe/package.json: No vulnerable dependencies (CLI tool)
- packages/baseframe/package.json: No vulnerable dependencies
- packages/css/package.json: No vulnerable dependencies
- packages/react/package.json: No vulnerable dependencies (library only)
- packages/react-icons/package.json: No vulnerable dependencies (library only)

**Key Finding:** Only the docs/website project uses Next.js and was affected.

## Changes Made

### Modified Files:
1. **docs/website/package.json**
   - Updated: `next@^16.0.6` → `next@^16.0.7`
   - Reason: Patched version that addresses the React Flight / Next.js RCE vulnerability (CVE-2025-21630)
   - React/React-DOM versions: Not modified (Next.js 16.0.7 provides correct patched versions automatically)

2. **pnpm-lock.yaml**
   - Updated: Lockfile now resolves to [email protected]
   - Verified that all dependencies resolve correctly with patched version

## Verification
✓ Dependencies installed successfully using `pnpm install`
✓ Lockfile updated to [email protected] (verified in pnpm-lock.yaml)
✓ Full project build successful: `pnpm run build` completed without errors
✓ Next.js website built successfully with new patched version
✓ No React Flight / RSC packages present (not a non-Next React app scenario)

## Notes
- This is a pnpm monorepo with workspace dependencies
- Only docs/website was affected; other packages don't use Next.js
- No manual React/React-DOM version changes needed for Next.js projects
- Build process verified successfully with all workspace packages

Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
@vercel
Copy link
Author

vercel bot commented Dec 8, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
cocso-ui Ready Ready Preview Comment Dec 8, 2025 3:19pm
cocso-ui-storybook Ready Ready Preview Comment Dec 8, 2025 3:19pm

@changeset-bot
Copy link

changeset-bot bot commented Dec 8, 2025

⚠️ No Changeset found

Latest commit: 027287f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link

coderabbitai bot commented Dec 8, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant