Skip to content

Update Next.js to 14.2.35 to fix React Server Components RCE vulnerabilities#16

Draft
Abuchtela with Copilot wants to merge 2 commits into
mainfrom
copilot/update-documentation-for-ecosystem
Draft

Update Next.js to 14.2.35 to fix React Server Components RCE vulnerabilities#16
Abuchtela with Copilot wants to merge 2 commits into
mainfrom
copilot/update-documentation-for-ecosystem

Conversation

Copilot AI commented Dec 28, 2025

Copy link
Copy Markdown

Addresses critical remote code execution vulnerabilities (CVE-2025-55182, CVE-2025-66478) and denial-of-service issues (CVE-2025-55184, CVE-2025-67779) in React Server Components affecting Next.js 14.x stable releases.

Changes

  • package.json: Bump next from 14.2.2614.2.35
  • pnpm-lock.yaml: Updated transitive dependencies to patched versions

Security Impact

The previous version allowed unauthenticated RCE via unsafe deserialization in the React Flight protocol. The 14.2.35 release includes patches for all four CVEs with CVSS scores up to 10.0.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • fonts.googleapis.com
    • Triggering command: /usr/local/bin/node /usr/local/bin/node /home/REDACTED/work/ecosystem-contributions/ecosystem-contributions/node_modules/.pnpm/next@14.2.35_react-dom@18.2.0_react@18.2.0__react@18.2.0/node_modules/next/dist/compiled/jest-worker/processChild.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Reference: 5a442b5


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@codesandbox

codesandbox Bot commented Dec 28, 2025

Copy link
Copy Markdown

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@vercel

vercel Bot commented Dec 28, 2025

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
ecosystem-contributions Ready Ready Preview, Comment Dec 28, 2025 10:04am

@coderabbitai

coderabbitai Bot commented Dec 28, 2025

Copy link
Copy Markdown

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.


Comment @coderabbitai help to get the list of available commands and usage tips.

@google-cla

google-cla Bot commented Dec 28, 2025

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

…o 14.2.35

Co-authored-by: Abuchtela <84213452+Abuchtela@users.noreply.github.com>
Copilot AI changed the title [WIP] Update documentation for ecosystem contributions Update Next.js to 14.2.35 to fix React Server Components RCE vulnerabilities Dec 28, 2025
Copilot AI requested a review from Abuchtela December 28, 2025 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants