Update Next.js to 14.2.35 to fix React Server Components RCE vulnerabilities#16
Conversation
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
…o 14.2.35 Co-authored-by: Abuchtela <84213452+Abuchtela@users.noreply.github.com>
Addresses critical remote code execution vulnerabilities (CVE-2025-55182, CVE-2025-66478) and denial-of-service issues (CVE-2025-55184, CVE-2025-67779) in React Server Components affecting Next.js 14.x stable releases.
Changes
nextfrom14.2.26→14.2.35Security Impact
The previous version allowed unauthenticated RCE via unsafe deserialization in the React Flight protocol. The 14.2.35 release includes patches for all four CVEs with CVSS scores up to 10.0.
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
fonts.googleapis.com/usr/local/bin/node /usr/local/bin/node /home/REDACTED/work/ecosystem-contributions/ecosystem-contributions/node_modules/.pnpm/next@14.2.35_react-dom@18.2.0_react@18.2.0__react@18.2.0/node_modules/next/dist/compiled/jest-worker/processChild.js(dns block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.