Skip to content

fix: update next #4499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
perkinsjr merged 2 commits into from
Dec 11, 2025
Merged

fix: update next #4499

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5cffc24
security update
MichaelUnkey Dec 11, 2025
462ffbf
upgrade eng next pkg
MichaelUnkey Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apps/dashboard/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@
"geist": "1.3.1",
"input-otp": "1.2.4",
"ms": "2.1.3",
"next": "14.2.25",
"next": "14.2.34",
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

CVE-2025-55182 React Server Components vulnerability

💡 Result:

Summary — CVE-2025-55182 (aka “React2Shell”)

  • What: an unauthenticated pre-auth remote‑code‑execution (RCE) in React Server Components (unsafe deserialization / Flight protocol prototype pollution leading to RCE). [1][2][3]
  • Severity: CVSS 10.0 (maximum); active exploitation reported. [1][3][4]

Affected packages / versions

  • react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack in React v19.0.0, 19.1.0, 19.1.1, 19.2.0. [1][3]
  • Many frameworks/bundlers that incorporate those packages (notably Next.js lines) are also affected; Next.js maintainers published specific patched releases. [1][5]

Immediate actions (short checklist)

  1. Patch immediately to the React patched releases (React: 19.0.1, 19.1.2, 19.2.1) and to the corresponding patched Next.js releases recommended by Next.js. Verify package-lock / yarn.lock for transitive react-server-dom-* packages and update them. [1][5]
  2. Audit all apps for exposed Server Function / RSC endpoints and temporarily disable/unexpose any unneeded endpoints until patched. [2][6]
  3. Apply network mitigations: WAF rules to block suspicious Flight payloads, restrict inbound access to server-side endpoints, and isolate affected servers. [6][2]
  4. Rotate credentials/keys and investigate for indicators of compromise; look for unexpected processes, persistence mechanisms, or outbound C2. If compromise suspected, perform incident response (contain, forensics). [4][6]

References

  • React Team advisory (Dec 3, 2025) — official disclosure + patches. [1]
  • NVD entry for CVE-2025-55182. [3]
  • Technical writeups / advisories describing root cause and exploitation. [2][7]
  • Vendor/incident reports and mitigation guidance (examples: Kaspersky, NetSPI, CMU/ISO). [4][5][6]

Need anything else?

  • If you want, I can: (a) scan a package.json / lockfile you paste to find vulnerable react-server-dom packages, or (b) produce specific WAF rules or search queries/IOCs to hunt for exploitation evidence.

🌐 Web query:

CVE-2025-55183 CVE-2025-55184 Next.js React

💡 Result:

Short answer: I can't find public records for CVE-2025-55183 or CVE-2025-55184. The high‑severity RSC/Next.js issue widely reported in Dec 2025 is CVE‑2025‑55182 (React Server Components, aka "React2Shell") and the Next.js downstream advisory tracked as CVE‑2025‑66478 (a duplicate/Next.js impact entry). Patch/update immediately — React and Next.js published fixes and guidance. [1][2][3]

What to do (concise):

  • Update affected React RSC packages to fixed versions (react-server-dom-webpack/parce/turbopack -> 19.0.1, 19.1.2, 19.2.1 or later as applicable). See React advisory. [1]
  • Update Next.js to the patched releases listed in the Next.js advisory (upgrade to the patched 15.x/16.x releases shown there). [2]
  • If you cannot patch immediately, deploy WAF rules / block exploit patterns (cloud providers and major vendors published temporary mitigations). [3]

Sources:

  1. React security advisory (Critical Security Vulnerability in React Server Components). [react.dev blog]. [1]
  2. Next.js security advisory (CVE-2025-66478 / Next.js advisory). [nextjs.org]. [2]
  3. Coverage and mitigation notes (news/industry advisories summarizing active exploitation and WAF mitigations). [3]

If you want, I can:

  • check your project’s package.json for vulnerable versions and produce exact upgrade commands, or
  • scan a repo (locally or via paste) to identify affected packages and suggest fixes. Which would you prefer?

🏁 Script executed:

# Check if there's any context in the repository about CVE mentions
rg "CVE-2025-55182|CVE-2025-55183|CVE-2025-55184" --type json --type md --type txt

Repository: unkeyed/unkey

Length of output: 39

🌐 Web query:

Next.js 14.2.34 security vulnerability release notes

💡 Result:

Do you want the security fixes (CVE details) included in Next.js v14.2.34, or the full release/changelog entry and links?

🌐 Web query:

Next.js 14.2.x CVE-2025-66478 vulnerability affected versions

💡 Result:

Affected Next.js versions

  • Vulnerable: Next.js 15.x and 16.x, and canary releases starting at 14.3.0-canary.77 (App Router + RSC).
  • Not affected: Next.js 13.x, stable 14.x, Pages Router apps, and Edge Runtime. [1][2]

Patched releases (upgrade to one of these in your release line):

  • 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7. [1][3]

Recommended action

  • If on 15.x or 16.x: upgrade to the nearest patched version above.
  • If on 14.3.0-canary.77 or later canary: downgrade to the latest stable 14.x (or a pre-14.3 canary) until you can upgrade. [1][3]

Sources: Next.js security advisory (Dec 3, 2025) [1]; GitHub/GitLab advisories summarizing affected/fixed versions. [2][3]

🌐 Web query:

Next.js security advisory CVE-2025-66478 which versions patched

💡 Result:

Affected: Next.js 15.x, 16.x, and 14.3.0-canary.77 and later canary releases (App Router / RSC only). Not affected: Next.js 13.x, stable 14.x, Pages Router apps, or Edge runtime. [1][2]

Patched Next.js releases (upgrade to one of these): 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. (Canary patches also published: 15.6.0-canary.58 and 16.1.0-canary.12.) [1][3]

Sources:
[1] Next.js security advisory (CVE-2025-66478) — nextjs.org/blog/CVE-2025-66478.
[2] GitLab / npm advisory summary for next (CVE-2025-66478).
[3] Next.js GitHub discussion referencing fixed and canary releases.

🌐 Web query:

Next.js 14.2.34 release notes changes

💡 Result:

Do you want a short summary of the changes in Next.js 14.2.34, or the full release notes / links to the official changelog and GitHub commits?

🌐 Web query:

Next.js 14.2.34 security fixes improvements changelog

💡 Result:

I couldn't find a Next.js release tagged 14.2.34. The 14.2.x security fixes and improvements around that series include these published patches and advisories (upgrade to the patched 14.2.x versions listed below):

  • Image optimization: fixes for arbitrary-file-download and cache-key confusion (CVE-2025-55173 and CVE-2025-57752) — patched in 14.2.31 (and 15.4.5). [1][2]
  • Middleware SSRF / improper NextResponse handling: patched in 14.2.32 (and 15.4.7). [3][4]
  • Dev server origin validation fixes (CSWSH / cross-origin script injection) affecting 13..–14.2.29 — see Vercel advisory for CVE-2025-48068. [5]

If you meant a different exact version (for example 14.2.31 or 14.2.32) I can fetch that release’s full changelog; tell me which tag you want and I’ll return the detailed notes and links.

Sources: Vercel changelog and security advisories for the 14.2.x series. [1] Vercel — CVE-2025-55173. [2] GitLab/npm advisory — CVE-2025-57752. [3] GitHub security advisory / Vercel — CVE-2025-57822. [4] GitLab/npm advisory — CVE-2025-57822. [5] Vercel — CVE-2025-48068.

Clarify the CVE references and vulnerability applicability.

The CVE numbers in the PR description (CVE-2025-55183 and CVE-2025-55184) do not exist in public records. The actual React Server Components vulnerability is CVE-2025-55182 (also tracked as CVE-2025-66478 for Next.js), which affects only:

  • React 19.0.0, 19.1.0, 19.1.1, and 19.2.0 (not React 18.2.0)
  • Next.js 15.x, 16.x, and canary releases ≥14.3.0-canary.77 (not stable 14.x)

Since this application uses React 18.2.0 and Next.js 14.2.34 (stable 14.x), it is not vulnerable to CVE-2025-55182 regardless.

Please clarify:

  1. What are the correct CVE numbers being addressed, if any?
  2. What is the actual purpose of this version bump?
  3. Update the PR title and description to accurately reflect the reason for the upgrade.
🤖 Prompt for AI Agents 
apps/dashboard/package.json around line 82: the PR references non-existent CVEs
and incorrectly implies the app is vulnerable; verify and state the correct
CVE(s) (if any) — the known React Server Components issue is CVE-2025-55182
(Next.js tracked as CVE-2025-66478) and it affects React 19.x and Next.js 15/16
or canary ≥14.3.0-canary.77, not React 18.2.0 or stable Next 14.2.34 used here;
update the PR title and description to: (1) list the correct CVE(s) if this bump
is intended to remediate a security issue, or explicitly state “no CVE applies”
if it isn’t; (2) state the actual reason for the version bump (bugfix,
dependency compatibility, new feature, etc.); and (3) include a short
compatibility note confirming React 18.2.0 + Next 14.2.34 are not vulnerable so
reviewers understand why no urgent security action is required.

"next-themes": "0.3.0",
"nuqs": "1.17.6",
"openai": "4.78.1",
Expand Down
2 changes: 1 addition & 1 deletion apps/engineering/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
"fumadocs-ui": "14.4.0",
"geist": "1.3.1",
"mermaid": "11.12.0",
"next": "14.2.15",
"next": "14.2.34",
"next-themes": "0.4.6",
"react": "18.3.1",
"react-dom": "18.3.1",
Expand Down
Loading
Loading