Fix React Server Components CVE vulnerabilities

[vercel]

User description

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project games. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

• GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
• React Advisory: CVE-2025-55182
• Next.js Advisory: CVE-2025-66478

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

---

PR Type

Bug fix

---

Description

• Upgrades Next.js from 15.3.4 to 15.3.8 to patch critical RCE vulnerability

• Addresses React Server Components CVE-2025-55182 and CVE-2025-66478

• Remediates insecure deserialization in React Flight protocol

---

Diagram Walkthrough

flowchart LR
  A["Next.js 15.3.4<br/>Vulnerable"] -- "Security Patch" --> B["Next.js 15.3.8<br/>Patched"]
  C["CVE-2025-55182<br/>CVE-2025-66478"] -- "Fixed by" --> B

Loading

File Walkthrough

	Relevant files
Bug fix	package.json Upgrade Next.js to patched security version                            package.json Updated Next.js dependency from version 15.3.4 to 15.3.8 Patches critical RCE vulnerability in React Server Components Remediates insecure deserialization in React Flight protocol +1/-1

---

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
games	Ready	Preview	Comment	Dec 12, 2025 0:46am

[netlify]

✅ Deploy Preview for lsngames ready!

Name	Link
🔨 Latest commit	2916be0
🔍 Latest deploy log	https://app.netlify.com/projects/lsngames/deploys/693c0e9bb1aaac0008da5b99
😎 Deploy Preview	https://deploy-preview-37--lsngames.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

The Next.js dependency version is updated from 15.3.4 to 15.3.8 in package.json, reflecting a minor version increment to incorporate latest bug fixes and improvements.

Changes

Cohort / File(s)	Summary
Dependency Update package.json	Bumps Next.js from 15.3.4 to 15.3.8

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

• Single dependency version bump with no cascading changes or compatibility concerns evident

Poem

🐰 Next.js hops along the path,
From fifteen-three-point-four so fast,
To fifteen-three-point-eight it leaps,
Bug fixes bundled, improvements deep!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly relates to the main change: upgrading Next.js to fix React Server Components CVE vulnerabilities as stated in the PR description.
Description check	✅ Passed	The description comprehensively documents the security vulnerability, CVE references, and the specific Next.js version upgrade needed to remediate the issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	games	2916be0	Dec 12 2025, 12:47 PM

[deepsource-io]

Here's the code health analysis summary for commits f0f966a..2916be0. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Summary	Link
JavaScript	✅ Success		View Check ↗
Python	✅ Success		View Check ↗
Rust	✅ Success		View Check ↗
Secrets	✅ Success		View Check ↗
Ruby	✅ Success		View Check ↗
Shell	✅ Success		View Check ↗
Scala	✅ Success		View Check ↗
SQL	✅ Success		View Check ↗
Terraform	✅ Success		View Check ↗
Test coverage	⚠️ Artifact not reported	Timed out: Artifact was never reported	View Check ↗
Swift	✅ Success		View Check ↗
C & C++	✅ Success		View Check ↗
C#	✅ Success		View Check ↗
Ansible	✅ Success		View Check ↗

---

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

[LCSOGthb]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[qltysh]

❌ 3 blocking issues (3 total)

Tool	Category	Rule	Count
trivy	Vulnerability	Package: next
Installed Version: 15.3.8
Fixed Version: 14.2.31, 15.4.5	1	❌
trivy	Vulnerability	Package: next
Installed Version: 15.3.8
Fixed Version: 14.2.31, 15.4.5	1	❌
trivy	Vulnerability	Package: next
Installed Version: 15.3.8
Fixed Version: 14.2.32, 15.4.7	1	❌

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logs: The PR only updates a dependency version and does not add or modify any code that would implement or affect audit logging of critical actions. Referred Code "next": "15.3.8", "react": "^19.0.0", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: No identifiers: The PR only changes a dependency version in package.json and does not introduce or modify identifiers whose naming could be assessed. Referred Code "next": "15.3.8", "react": "^19.0.0", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: No error paths: The change only updates the Next.js version and contains no runtime code where error handling or edge cases could be evaluated. Referred Code "next": "15.3.8", "react": "^19.0.0", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: No user errors: The PR does not change any user-facing error messaging or logging; only a dependency version is updated, so secure error handling cannot be assessed here. Referred Code "next": "15.3.8", "react": "^19.0.0", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: No logging changes: There are no additions or modifications to application logging; only a dependency version change is present, so logging practices cannot be evaluated. Referred Code "next": "15.3.8", "react": "^19.0.0", Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: No input handling: The PR introduces no new input handling or data processing code; only a Next.js version bump is made, so input validation and data handling cannot be assessed from this diff. Referred Code "next": "15.3.8", "react": "^19.0.0", Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Align dependency versions for consistency Update the eslint-config-next dependency from version 15.3.4 to 15.3.8 to align with the updated next package version. package.json [20] -"eslint-config-next": "15.3.4", +"eslint-config-next": "15.3.8", [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that the eslint-config-next version should match the next package version to ensure linting rule compatibility, which is a standard best practice.	Medium
More

[sentry]

Bug: The package-lock.json pins react and react-dom to version 19.1.0, which remains vulnerable to CVE-2025-55182. The security fix is incomplete.
_{Severity: CRITICAL | Confidence: High}

🔍 Detailed Analysis

This pull request intends to patch React Server Components vulnerabilities, including CVE-2025-55182. However, the package-lock.json explicitly pins react and react-dom to version 19.1.0. The minimum safe version required to fully patch the vulnerability is 19.1.4. As a result, the application remains vulnerable to Remote Code Execution (RCE) attacks, defeating the purpose of this security fix. The locked versions do not contain the complete protection against the disclosed vulnerabilities.

💡 Suggested Fix

Update the dependencies and regenerate package-lock.json to ensure react and react-dom are pinned to a safe version, such as 19.1.4 or higher, which contains the complete patch for CVE-2025-55182 and related vulnerabilities.

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L13-L14

Potential issue: This pull request intends to patch React Server Components
vulnerabilities, including CVE-2025-55182. However, the `package-lock.json` explicitly
pins `react` and `react-dom` to version `19.1.0`. The minimum safe version required to
fully patch the vulnerability is `19.1.4`. As a result, the application remains
vulnerable to Remote Code Execution (RCE) attacks, defeating the purpose of this
security fix. The locked versions do not contain the complete protection against the
disclosed vulnerabilities.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 7414786}