Fix React Server Components RCE vulnerability #1330
Draft
+89
−82
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## React Flight / Next.js RCE Advisory - Patch Implementation ### Summary Successfully patched the `microfrontends/nextjs-multi-zones` monorepo to address the React Flight / Next.js Remote Code Execution (RCE) vulnerability. The project uses Next.js 15.1.6 with React 19.0.0, both of which were affected by the advisory. ### Changes Made #### Package.json Updates The following package.json files were updated to use patched versions: 1. **`microfrontends/nextjs-multi-zones/apps/docs/package.json`** - Upgraded `next` from `15.1.6` to `15.1.9` (patched version for 15.1.x) - `react` and `react-dom` remain at `19.0.0` (Next.js manages React dependencies automatically) 2. **`microfrontends/nextjs-multi-zones/apps/marketing/package.json`** - Upgraded `next` from `15.1.6` to `15.1.9` (patched version for 15.1.x) - `react` and `react-dom` remain at `19.0.0` (Next.js manages React dependencies automatically) 3. **`microfrontends/nextjs-multi-zones/packages/eslint-config-custom/package.json`** - Upgraded `@next/eslint-plugin-next` from `15.1.6` to `15.1.9` (for consistency with Next.js version) #### Dependency Verification The project does **not** use any React Flight packages: - `react-server-dom-webpack` - Not present - `react-server-dom-parcel` - Not present - `react-server-dom-turbopack` - Not present These packages were therefore not modified, as per the advisory guidelines. ### Lockfile Updates - **`microfrontends/nextjs-multi-zones/pnpm-lock.yaml`** was regenerated by running `pnpm install` to reflect the patched dependency versions. ### Build Verification Both Next.js applications were successfully built with the patched dependencies: 1. **docs app** (`apps/docs`): ✓ Built successfully - Successfully compiled and generated static pages - No dependency-related errors 2. **marketing app** (`apps/marketing`): ✓ Built successfully - Successfully compiled and generated static pages - No dependency-related errors ### Rationale for Implementation Choices 1. **Next.js Version Upgrade**: Updated to `15.1.9` following the advisory's patch table for Next.js 15.1.x releases. 2. **React Version Unchanged**: Did not manually upgrade `react` and `react-dom` from `19.0.0` because: - The advisory specifies to let Next.js supply the correct React versions automatically - Next.js 15.1.9 handles React dependency management internally - Manual React upgrades are only needed for non-Next.js projects using react-server-dom-* packages 3. **Lockfile Updated**: Regenerated lockfile ensures all transitive dependencies are correctly resolved with the patched versions. 4. **All Apps Patched**: Both `docs` and `marketing` apps required updates, as they both depend on the vulnerable Next.js version. ### Project Details - **Monorepo Root**: `microfrontends/nextjs-multi-zones/` - **Package Manager**: pnpm@9.4.0 - **Affected Apps**: 2 (docs, marketing) - **Build Status**: ✓ All builds successful ### Files Modified - `microfrontends/nextjs-multi-zones/apps/docs/package.json` - `microfrontends/nextjs-multi-zones/apps/marketing/package.json` - `microfrontends/nextjs-multi-zones/packages/eslint-config-custom/package.json` - `microfrontends/nextjs-multi-zones/pnpm-lock.yaml` Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
Contributor
Author
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project microfrontends-docs. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.
This issue is tracked under:
This automated pull request upgrades the affected React and Next.js packages to patched versions that remediate the issue.
More Info