Security: Example app update Next.js dependency for CVE-2025-55184 and CVE-2025-55183 (#951)

tusharpandey13 · web-flow · commit 22b24c64c0ce · 2025-12-12T12:42:16.000+05:30
## Premise On December 11, 2025, Next.js disclosed two security vulnerabilities affecting applications using React Server Components with the App Router: 1. **CVE-2025-55184 / CVE-2025-67779** (High Severity) - Denial of Service via infinite loop 2. **CVE-2025-55183** (Medium Severity) - Source code exposure in Server Functions These vulnerabilities originate in the upstream React RSC protocol implementation. While neither allows Remote Code Execution, upgrading to patched versions is required. ## Changes Changed `examples/next-app/package.json`: | Package | Before | After | |---------|--------|-------| | `next` | 15.4.8 | 15.4.10 | ## References - [Next.js Security Update: December 11, 2025](https://nextjs.org/blog/security-update-2025-12-11) - [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) - DoS vulnerability - [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779) - Complete DoS fix - [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) - Source code exposure - [React Blog: DoS and Source Code Exposure in RSC](https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components)
diff --git a/examples/nextjs-app/package.json b/examples/nextjs-app/package.json
@@ -9,7 +9,7 @@
   },
   "dependencies": {
     "@auth0/auth0-react": "file:../..",
-    "next": "15.4.8",
+    "next": "15.4.10",
     "react": "file:../../node_modules/react",
     "react-dom": "file:../../node_modules/react-dom"
   }

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`},`
`10`	`10`	`"dependencies": {`
`11`	`11`	`"@auth0/auth0-react": "file:../..",`
`12`		`- "next": "15.4.8",`
	`12`	`+ "next": "15.4.10",`
`13`	`13`	`"react": "file:../../node_modules/react",`
`14`	`14`	`"react-dom": "file:../../node_modules/react-dom"`
`15`	`15`	`}`