From dd44ea5cae39eb4086486b48a86b87062cc321fd Mon Sep 17 00:00:00 2001 From: Vercel Date: Mon, 8 Dec 2025 20:21:06 +0000 Subject: [PATCH] Update packages for React Flight RCE advisory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## React Flight / Next.js RCE Advisory - Security Update ### Summary The ethonline-2025-frontend project has been updated to address the React Flight / Next.js RCE advisory (CVE-2025-55182 / CVE-2025-66478 / GHSA-9qr9-h5gf-34mp). **Status: ✅ PATCHED** - Updated Next.js to the patched version ### Changes Made #### frontend/package.json - **Next.js**: Updated from `15.5.6` → `15.5.7` (patched version for 15.5.x) #### pnpm-lock.yaml - Updated lockfile to reflect Next.js 15.5.7 and all associated SWC compiler binaries - All transitive dependencies properly resolved to compatible versions ### Advisory Details The React Flight RCE vulnerability (CVE-2025-55182) affects: - React versions: 19.0.0, 19.1.0, 19.1.1, 19.2.0 (when using react-server-dom packages) - Next.js versions: 14.3.0-canary.77+, 15.0.0+, 16.0.0+ **Patched versions for Next.js by minor version:** - 15.0.x → 15.0.5 - 15.1.x → 15.1.9 - 15.2.x → 15.2.6 - 15.3.x → 15.3.6 - 15.4.x → 15.4.8 - **15.5.x → 15.5.7** ← Applied ✅ - 16.x → 16.0.7 ### Vulnerability Assessment **Project Structure:** - **Type**: Monorepo with pnpm workspaces - **Packages**: - `frontend/` - Next.js application (AFFECTED) - `blockchain/` - Smart contracts (NOT affected - no Next.js) - `circuits/` - ZK circuits (NOT affected - no Next.js) **Dependency Analysis:** - ✅ No react-server-dom packages found (not vulnerable) - ✅ React 19.1.0 and React-DOM 19.1.0 included with patched Next.js 15.5.7 - ✅ No manual React version updates needed (Next.js handles this) - ✅ Next.js 15.5.7 includes necessary React Flight patches ### Implementation Details 1. **Upgrade Strategy**: Only upgraded affected package - Next.js was on 15.5.6 (vulnerable version) - Upgraded to 15.5.7 (patched version for 15.5.x line) - No cross-major-version upgrades performed 2. **Dependencies**: - React and React-DOM versions remain unchanged (19.1.0) - Next.js 15.5.7 is compatible with React 19.1.0 - Next.js automatically provides patched React versions through its dependencies 3. **Lockfile**: - Updated pnpm-lock.yaml with Next.js 15.5.7 and all platform-specific SWC binaries - No dependency conflicts introduced - All resolutions valid and consistent ### Files Modified - `frontend/package.json` - Next.js version bump - `pnpm-lock.yaml` - Updated dependency resolution ### Files NOT Modified - `blockchain/package.json` - No vulnerability - `circuits/package.json` - No vulnerability - Root `package.json` - No workspace-level changes needed ### Verification Notes - Project uses pnpm workspace configuration - Only frontend workspace is affected by the advisory - Other workspaces (blockchain, circuits) do not use Next.js or React Flight packages - Build should work correctly with patched Next.js 15.5.7 ### Important Information - This update addresses the critical RCE vulnerability in React Server Components - The vulnerability allows unauthenticated remote code execution through malformed deserialization - All affected Next.js 15.5.x users should upgrade to 15.5.7 - No application code changes were necessary - only dependency update Co-authored-by: Vercel --- frontend/package.json | 2 +- pnpm-lock.yaml | 88 +++++++++++++++++++++---------------------- 2 files changed, 45 insertions(+), 45 deletions(-) diff --git a/frontend/package.json b/frontend/package.json index 71c4253..87cd1f0 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -42,7 +42,7 @@ "clsx": "^2.1.1", "geist": "^1.5.1", "lucide-react": "^0.546.0", - "next": "15.5.6", + "next": "15.5.7", "next-themes": "^0.4.6", "otpauth": "^9.4.1", "prisma": "^6.18.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 6de2855..7d9b4c7 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -177,13 +177,13 @@ importers: version: 2.1.1 geist: specifier: ^1.5.1 - version: 1.5.1(next@15.5.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)) + version: 1.5.1(next@15.5.7(react-dom@19.1.0(react@19.1.0))(react@19.1.0)) lucide-react: specifier: ^0.546.0 version: 0.546.0(react@19.1.0) next: - specifier: 15.5.6 - version: 15.5.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0) + specifier: 15.5.7 + version: 15.5.7(react-dom@19.1.0(react@19.1.0))(react@19.1.0) next-themes: specifier: ^0.4.6 version: 0.4.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0) @@ -922,53 +922,53 @@ packages: resolution: {integrity: sha512-w8CVbdkDrVXFJbfBSlDfafDR6BAkpDmv1bC1UJVCoVny5tW2RKAdn9i68Xf7asYT4TnUhl/hN4zfUiKQq9II4g==} engines: {node: '>=16.0.0'} - '@next/env@15.5.6': - resolution: {integrity: sha512-3qBGRW+sCGzgbpc5TS1a0p7eNxnOarGVQhZxfvTdnV0gFI61lX7QNtQ4V1TSREctXzYn5NetbUsLvyqwLFJM6Q==} + '@next/env@15.5.7': + resolution: {integrity: sha512-4h6Y2NyEkIEN7Z8YxkA27pq6zTkS09bUSYC0xjd0NpwFxjnIKeZEeH591o5WECSmjpUhLn3H2QLJcDye3Uzcvg==} - '@next/swc-darwin-arm64@15.5.6': - resolution: {integrity: sha512-ES3nRz7N+L5Umz4KoGfZ4XX6gwHplwPhioVRc25+QNsDa7RtUF/z8wJcbuQ2Tffm5RZwuN2A063eapoJ1u4nPg==} + '@next/swc-darwin-arm64@15.5.7': + resolution: {integrity: sha512-IZwtxCEpI91HVU/rAUOOobWSZv4P2DeTtNaCdHqLcTJU4wdNXgAySvKa/qJCgR5m6KI8UsKDXtO2B31jcaw1Yw==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] - '@next/swc-darwin-x64@15.5.6': - resolution: {integrity: sha512-JIGcytAyk9LQp2/nuVZPAtj8uaJ/zZhsKOASTjxDug0SPU9LAM3wy6nPU735M1OqacR4U20LHVF5v5Wnl9ptTA==} + '@next/swc-darwin-x64@15.5.7': + resolution: {integrity: sha512-UP6CaDBcqaCBuiq/gfCEJw7sPEoX1aIjZHnBWN9v9qYHQdMKvCKcAVs4OX1vIjeE+tC5EIuwDTVIoXpUes29lg==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] - '@next/swc-linux-arm64-gnu@15.5.6': - resolution: {integrity: sha512-qvz4SVKQ0P3/Im9zcS2RmfFL/UCQnsJKJwQSkissbngnB/12c6bZTCB0gHTexz1s6d/mD0+egPKXAIRFVS7hQg==} + '@next/swc-linux-arm64-gnu@15.5.7': + resolution: {integrity: sha512-NCslw3GrNIw7OgmRBxHtdWFQYhexoUCq+0oS2ccjyYLtcn1SzGzeM54jpTFonIMUjNbHmpKpziXnpxhSWLcmBA==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] - '@next/swc-linux-arm64-musl@15.5.6': - resolution: {integrity: sha512-FsbGVw3SJz1hZlvnWD+T6GFgV9/NYDeLTNQB2MXoPN5u9VA9OEDy6fJEfePfsUKAhJufFbZLgp0cPxMuV6SV0w==} + '@next/swc-linux-arm64-musl@15.5.7': + resolution: {integrity: sha512-nfymt+SE5cvtTrG9u1wdoxBr9bVB7mtKTcj0ltRn6gkP/2Nu1zM5ei8rwP9qKQP0Y//umK+TtkKgNtfboBxRrw==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] - '@next/swc-linux-x64-gnu@15.5.6': - resolution: {integrity: sha512-3QnHGFWlnvAgyxFxt2Ny8PTpXtQD7kVEeaFat5oPAHHI192WKYB+VIKZijtHLGdBBvc16tiAkPTDmQNOQ0dyrA==} + '@next/swc-linux-x64-gnu@15.5.7': + resolution: {integrity: sha512-hvXcZvCaaEbCZcVzcY7E1uXN9xWZfFvkNHwbe/n4OkRhFWrs1J1QV+4U1BN06tXLdaS4DazEGXwgqnu/VMcmqw==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - '@next/swc-linux-x64-musl@15.5.6': - resolution: {integrity: sha512-OsGX148sL+TqMK9YFaPFPoIaJKbFJJxFzkXZljIgA9hjMjdruKht6xDCEv1HLtlLNfkx3c5w2GLKhj7veBQizQ==} + '@next/swc-linux-x64-musl@15.5.7': + resolution: {integrity: sha512-4IUO539b8FmF0odY6/SqANJdgwn1xs1GkPO5doZugwZ3ETF6JUdckk7RGmsfSf7ws8Qb2YB5It33mvNL/0acqA==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - '@next/swc-win32-arm64-msvc@15.5.6': - resolution: {integrity: sha512-ONOMrqWxdzXDJNh2n60H6gGyKed42Ieu6UTVPZteXpuKbLZTH4G4eBMsr5qWgOBA+s7F+uB4OJbZnrkEDnZ5Fg==} + '@next/swc-win32-arm64-msvc@15.5.7': + resolution: {integrity: sha512-CpJVTkYI3ZajQkC5vajM7/ApKJUOlm6uP4BknM3XKvJ7VXAvCqSjSLmM0LKdYzn6nBJVSjdclx8nYJSa3xlTgQ==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] - '@next/swc-win32-x64-msvc@15.5.6': - resolution: {integrity: sha512-pxK4VIjFRx1MY92UycLOOw7dTdvccWsNETQ0kDHkBlcFH1GrTLUjSiHU1ohrznnux6TqRHgv5oflhfIWZwVROQ==} + '@next/swc-win32-x64-msvc@15.5.7': + resolution: {integrity: sha512-gMzgBX164I6DN+9/PGA+9dQiwmTkE4TloBNx8Kv9UiGARsr9Nba7IpcBRA1iTV9vwlYnrE3Uy6I7Aj6qLjQuqw==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -3122,8 +3122,8 @@ packages: react: ^16.8 || ^17 || ^18 || ^19 || ^19.0.0-rc react-dom: ^16.8 || ^17 || ^18 || ^19 || ^19.0.0-rc - next@15.5.6: - resolution: {integrity: sha512-zTxsnI3LQo3c9HSdSf91O1jMNsEzIXDShXd4wVdg9y5shwLqBXi4ZtUUJyB86KGVSJLZx0PFONvO54aheGX8QQ==} + next@15.5.7: + resolution: {integrity: sha512-+t2/0jIJ48kUpGKkdlhgkv+zPTEOoXyr60qXe68eB/pl3CMJaLeIGjzp5D6Oqt25hCBiBTt8wEeeAzfJvUKnPQ==} engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0} hasBin: true peerDependencies: @@ -4951,30 +4951,30 @@ snapshots: transitivePeerDependencies: - supports-color - '@next/env@15.5.6': {} + '@next/env@15.5.7': {} - '@next/swc-darwin-arm64@15.5.6': + '@next/swc-darwin-arm64@15.5.7': optional: true - '@next/swc-darwin-x64@15.5.6': + '@next/swc-darwin-x64@15.5.7': optional: true - '@next/swc-linux-arm64-gnu@15.5.6': + '@next/swc-linux-arm64-gnu@15.5.7': optional: true - '@next/swc-linux-arm64-musl@15.5.6': + '@next/swc-linux-arm64-musl@15.5.7': optional: true - '@next/swc-linux-x64-gnu@15.5.6': + '@next/swc-linux-x64-gnu@15.5.7': optional: true - '@next/swc-linux-x64-musl@15.5.6': + '@next/swc-linux-x64-musl@15.5.7': optional: true - '@next/swc-win32-arm64-msvc@15.5.6': + '@next/swc-win32-arm64-msvc@15.5.7': optional: true - '@next/swc-win32-x64-msvc@15.5.6': + '@next/swc-win32-x64-msvc@15.5.7': optional: true '@noble/ciphers@1.2.1': {} @@ -7602,9 +7602,9 @@ snapshots: function-bind@1.1.2: {} - geist@1.5.1(next@15.5.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0)): + geist@1.5.1(next@15.5.7(react-dom@19.1.0(react@19.1.0))(react@19.1.0)): dependencies: - next: 15.5.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0) + next: 15.5.7(react-dom@19.1.0(react@19.1.0))(react@19.1.0) generator-function@2.0.1: {} @@ -7975,9 +7975,9 @@ snapshots: react: 19.1.0 react-dom: 19.1.0(react@19.1.0) - next@15.5.6(react-dom@19.1.0(react@19.1.0))(react@19.1.0): + next@15.5.7(react-dom@19.1.0(react@19.1.0))(react@19.1.0): dependencies: - '@next/env': 15.5.6 + '@next/env': 15.5.7 '@swc/helpers': 0.5.15 caniuse-lite: 1.0.30001751 postcss: 8.4.31 @@ -7985,14 +7985,14 @@ snapshots: react-dom: 19.1.0(react@19.1.0) styled-jsx: 5.1.6(react@19.1.0) optionalDependencies: - '@next/swc-darwin-arm64': 15.5.6 - '@next/swc-darwin-x64': 15.5.6 - '@next/swc-linux-arm64-gnu': 15.5.6 - '@next/swc-linux-arm64-musl': 15.5.6 - '@next/swc-linux-x64-gnu': 15.5.6 - '@next/swc-linux-x64-musl': 15.5.6 - '@next/swc-win32-arm64-msvc': 15.5.6 - '@next/swc-win32-x64-msvc': 15.5.6 + '@next/swc-darwin-arm64': 15.5.7 + '@next/swc-darwin-x64': 15.5.7 + '@next/swc-linux-arm64-gnu': 15.5.7 + '@next/swc-linux-arm64-musl': 15.5.7 + '@next/swc-linux-x64-gnu': 15.5.7 + '@next/swc-linux-x64-musl': 15.5.7 + '@next/swc-win32-arm64-msvc': 15.5.7 + '@next/swc-win32-x64-msvc': 15.5.7 sharp: 0.34.4 transitivePeerDependencies: - '@babel/core'