Skip to content

🔒 Security Fix: Update React and Next.js to address CVE-2025-55182 #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kenjonespizza merged 2 commits into from
Dec 3, 2025
Merged

🔒 Security Fix: Update React and Next.js to address CVE-2025-55182 #163

kenjonespizza merged 2 commits into from
Dec 3, 2025

Conversation

@kenjonespizza
Copy link
Collaborator

@kenjonespizza kenjonespizza commented Dec 3, 2025

🔒 Security Fix: Update React and Next.js to address CVE-2025-55182

🚨 Security Advisory

This PR addresses CVE-2025-55182, a critical Remote Code Execution (RCE) vulnerability in React Server Components.

Summary

Updates React, React DOM, Next.js, and related dependencies to patched versions that fix a critical RCE vulnerability affecting React 19.x and Next.js 15.x.

📦 Changes

Package Previous New Modified Files
react ^19.1.1 ^19.2.1 frontend/package.json, studio/package.json
react-dom ^19.1.1 ^19.2.1 frontend/package.json, studio/package.json
next ^15.5.0 ^15.5.7 frontend/package.json
@types/react ^19.1.11 ^19.2.7 frontend/package.json, studio/package.json
@types/react-dom ^19.1.7 ^19.2.3 frontend/package.json
sanity ^4.5.0 ^4.20.0 frontend/package.json, studio/package.json
@sanity/vision ^4.5.0 ^4.20.0 studio/package.json

🔍 Vulnerability Details

  • CVE ID: CVE-2025-55182
  • Severity: 🔴 Critical
  • CVSS Score: 9.8 (Critical)
  • Affected Versions:
    • React: 19.0.0 - 19.2.0
    • Next.js: 15.0.0 - 15.5.6
  • Description: Remote Code Execution vulnerability in React Server Components that could allow attackers to execute arbitrary code on the server
  • Reference: https://github.com/advisories/GHSA-[id]

✅ Testing

  • Clean install of dependencies
  • Verified no breaking changes in API
  • Confirmed build passes
  • Validated development server runs correctly

📝 Additional Context

What does this fix?
This updates React and Next.js to versions that patch the CVE-2025-55182 vulnerability in React Server Components.

Why these specific versions?

  • React 19.2.1 is the first patch release containing the security fix
  • Next.js 15.5.7 includes the patched React version and related fixes
  • Sanity updated to ensure compatibility with latest React versions

🚀 Deployment Notes

  • Version Bump: Patch
  • Breaking Changes: None
  • Ready to Deploy: Yes

@kenjonespizza kenjonespizza requested a review from a team as a code owner December 3, 2025 19:33
@vercel
Copy link

vercel bot commented Dec 3, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
template-nextjs-clean Skipped Skipped Dec 3, 2025 7:43pm

stipsan
stipsan previously approved these changes Dec 3, 2025
View reviewed changes
@kenjonespizza kenjonespizza dismissed stipsan’s stale review December 3, 2025 19:43

The merge-base changed after approval.

@kenjonespizza kenjonespizza merged commit 2d0f72c into main Dec 3, 2025
6 checks passed
@kenjonespizza kenjonespizza deleted the fix/cve-2025-55182-react-server-components branch December 3, 2025 19:48
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 4, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@tonylepmets tonylepmets tonylepmets approved these changes

@stipsan stipsan stipsan left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kenjonespizza @stipsan @tonylepmets