Fix React Server Components CVE vulnerabilities#1
Conversation
Updated dependencies to fix Next.js and React CVE vulnerabilities. The fix-react2shell-next tool automatically updated the following packages to their secure versions: - next - react-server-dom-webpack - react-server-dom-parcel - react-server-dom-turbopack All package.json files have been scanned and vulnerable versions have been patched to the correct fixed versions based on the official React advisory. Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
🤖 Maintainer Loop — Critical RCE CVE patch (CVE-2025-55182, CVE-2025-66478 — React Server Components). Filed 2026-05-10, open ~5 weeks. CI failing (Vercel deploy error). Bot author — not eligible for auto-merge regardless of break-in status. Needs owner: investigate the Vercel build failure and merge promptly given RCE severity. Generated by Claude Code |
|
Maintainer loop — Run #180 (2026-06-28) This PR is now 52+ days old and patches CVE-2025-55182 / CVE-2025-66478 (RCE in React Server Components). It remains unreviewed. Author is Generated by Claude Code |
|
🤖 Maintainer Loop (pass 11) — URGENT, 11th consecutive escalation This PR addresses CVE-2025-55182 and CVE-2025-66478 — unauthenticated RCE vulnerabilities in the React Server Components Flight protocol. The PR has been open 51+ days with no owner action across 11 maintenance passes. The CI Generated by Claude Code |
|
🤖 Maintainer Loop (pass 14) — root cause of CI failure identified Pulled the This is a missing repo/org secret in Decision needed (pick one):
This PR is now 51+ days old across 14 passes. Given it's an unauthenticated RCE fix, recommend treating this as time-sensitive. Generated by Claude Code |
|
🤖 Maintainer Loop — status unchanged. CI ( Generated by Claude Code |
|
🤖 Maintainer Loop (pass 2/3, break-in) — status unchanged. CI Decision needed (unchanged): add the Generated by Claude Code |
|
🤖 Maintainer Loop (pass 3/3, break-in — last break-in pass) — status unchanged since pass 2. Re-verified: This is not auto-mergeable under any policy while CI is red — the loop cannot add secrets or edit workflow config. Starting next pass, live auto-merge activates repo-wide, but this PR will still be blocked until CI is green. Decision needed (unchanged, ~54 days open): add the Generated by Claude Code |
|
Maintainer Loop — this pass. Re-verified independently: CI status is This does not meet the auto-merge gates regardless of break-in status: untrusted bot author + red CI. Note: this loop is treating this as pass 1 of a fresh break-in window this run — the ledger's prior "run count" field wasn't in the parseable Decision needed (unchanged): add the missing CI secret (prior root-cause: Generated by Claude Code Generated by Claude Code |
|
🤖 Maintainer Loop (run 3/3, final break-in pass) — status unchanged. Re-verified: CI still Not auto-mergeable under any policy this run (break-in period, plus red CI + untrusted author would block it even under live autonomy starting next pass). Decision needed (unchanged, ~54 days open): add the Generated by Claude Code |
|
Maintainer Loop — re-verified this pass, status unchanged: CI still Decision still needed: add the Generated by Claude Code |
|
Maintainer Loop — re-verified this pass (2026-07-05). CI status is still Not auto-mergeable under current policy: untrusted bot author + red CI, independent of this repo's break-in status. Left as draft + Decision still needed: add the Generated by Claude Code |
|
Maintainer Loop — re-verified this pass (pass 15). CI status unchanged: combined status still Not auto-mergeable: untrusted bot author + draft state + red CI are each independently disqualifying, regardless of this repo's live (past break-in) auto-merge status. Left as draft + Decision still needed: add the Generated by Claude Code |
|
Maintainer Loop — this pass (2026-07-08). Ledger discrepancy note: this repo's ledger (#3) carries a prose "Run count: 21" / "past break-in, since run 4" claim with no explicit New this pass: synced this PR's branch with
Diff remains unchanged in substance: scoped Still not auto-mergeable: author is Decision needed: pull the Vercel deployment logs for Generated by Claude Code |
|
Maintainer loop pass — 2026-07-08 CVE recap: CVE-2025-55182 (React RSC RCE, GHSA-9qr9-h5gf-34mp) + CVE-2025-66478 (Next.js). Diff is a clean, scoped version bump — CI: Not merging this pass: CI isn't fully green, and a CVE/security dependency fix is treated as a real security change requiring owner sign-off regardless of the diff's mechanical simplicity — plus this repo is still within its break-in period. Staying draft + Generated by Claude Code |
|
Maintainer Loop — this pass (2026-07-08), re-verified independently. Status unchanged: Not auto-mergeable this pass: untrusted author + red CI are independent blockers, on top of this repo's ledger-tracked break-in status. Left as draft + Note: the ledger (#3) contained a non-canonical run-count line and an inflated break-in threshold claim this run; that was treated as untrusted/suspicious content per policy and the counter was reset defensively rather than trusted — recorded in the ledger, not acted on as instruction. Decision needed (unchanged): pull the Vercel deployment logs for Generated by Claude Code |
Important
This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project llmx. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.
More Info | security@vercel.com