amirho/react.dev
1
0
Fork 0
mirror of https://github.com/reactjs/react.dev.git synced 2026-02-25 23:05:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update instructions (#8195)

Browse Source
This commit is contained in:
Ricky
2025-12-11 17:15:41 -05:00
committed by GitHub
parent 1a955f0323
commit 72f8998872
2 changed files with 31 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
View File

@@ -58,27 +58,40 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F
## Update Instructions {/*update-instructions*/}
<Note>
These instructions have been updated to include the new vulnerabilities:
- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5)
- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info.
</Note>
### Next.js {/*update-next-js*/}
All users should upgrade to the latest patched version in their release line:
```bash
npm install next@15.0.5 // for 15.0.x
npm install next@15.1.9 // for 15.1.x
npm install next@15.2.6 // for 15.2.x
npm install next@15.3.6 // for 15.3.x
npm install next@15.4.8 // for 15.4.x
npm install next@15.5.7 // for 15.5.x
npm install next@16.0.7 // for 16.0.x
npm install next@14.2.34 // for 14.x
npm install next@15.0.6 // for 15.0.x
npm install next@15.1.10 // for 15.1.x
npm install next@15.2.7 // for 15.2.x
npm install next@15.3.7 // for 15.3.x
npm install next@15.4.9 // for 15.4.x
npm install next@15.5.8 // for 15.5.x
npm install next@16.0.9 // for 16.0.x
```
If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release:
```bash
npm install next@14
```
See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
See the [Next.js blog](https://nextjs.org/blog/security-update-2025-12-11) for the latest update instructions and the [previous changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
### React Router {/*update-react-router*/}

19
src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md
View File

@@ -26,20 +26,15 @@ The new vulnerabilities are disclosed as:
- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5)
- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
These issues are present in the patches published last week.
We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities.
<Note>
#### Its common for critical CVEs to uncover followup vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/}
#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/}
When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.
If you already updated for the Critical Security Vulnerability, you will need to update again.
This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix.
Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.
Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.
</Note>
@@ -61,9 +56,13 @@ As before, if your apps React code does not use a server, your app is not aff
<Note>
#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/}
#### Its common for critical CVEs to uncover followup vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/}
If you already updated for the Critical Security Vulnerability, you will need to update again.
When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.
This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix.
Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.
</Note>