Fix CVE-2025-66478 & CVE-2025-55182 for React and Next.JS as well as CVE-2025-55184, CVE-2025-67779 and CVE-2025-55183

[Vashiru]

What are the changes and their implications?

NextJS and React have been updated to the latest patch releases within their respective minor versions to fix CVE-2025-66478 & CVE-2025-55182.

More info:

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

https://nextjs.org/blog/CVE-2025-66478

Bug Checklist

• Changeset added (run pnpm changeset in the root directory)
• Integration test added (see test docs if needed)

Feature Checklist

• Changeset added (run pnpm changeset in the root directory)
• Integration test added (see test docs if needed)
• Documentation added/updated (submit PR to blitzjs.com repo main branch)

[changeset-bot]

🦋 Changeset detected

Latest commit: f9709ab

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Vashiru]

Update to also fix CVE-2025-55184, CVE-2025-67779 and CVE-2025-55183

https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
https://nextjs.org/blog/security-update-2025-12-11