CVE-2025-55182

[MatsM16]

Summary by Vercel

TL;DR:
A critical-severity vulnerability in React Server Components (CVE-2025-55182) affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478). Under certain conditions, specially crafted requests could lead to unintended remote code execution.

Recommended action
Update to:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

Why?
The company I work for use GitBook and would like to stay secure.
This pr attempts to handle cve-2025-55182 by updating
Next.js: 15.4.0 -> 15.4.8
React: 19.0.0 -> 19.0.1
These versions was selected because they were the closest to the existing versions which hopefully reduces the risk of breaking changes.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9b9f676

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[MatsM16]

This PR makes #3843 redundant

[conico974]

@MatsM16 Gitbook is already covered by the WAF rule we have in our CDNs.
There is other unrelated issues preventing us from upgrading to 15.4+ for now, we'll address them soon and we'll bump the version then.