[PR #4] [MERGED] Fix React Server Components CVE vulnerabilities #4

Closed
opened 2026-02-16 03:15:30 -05:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/run-llama/flow-maker/pull/4
Author: @vercel[bot]
Created: 12/16/2025
Status: Merged
Merged: 12/16/2025
Merged by: @logan-markewich

Base: mainHead: vercel/react-server-components-cve-vu-f5dhme


📝 Commits (1)

  • 9578499 Fix React Server Components CVE vulnerabilities

📊 Changes

2 files changed (+56 additions, -44 deletions)

View changed files

📝 package-lock.json (+55 -43)
📝 package.json (+1 -1)

📄 Description

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project flow-maker. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/run-llama/flow-maker/pull/4 **Author:** [@vercel[bot]](https://github.com/apps/vercel) **Created:** 12/16/2025 **Status:** ✅ Merged **Merged:** 12/16/2025 **Merged by:** [@logan-markewich](https://github.com/logan-markewich) **Base:** `main` ← **Head:** `vercel/react-server-components-cve-vu-f5dhme` --- ### 📝 Commits (1) - [`9578499`](https://github.com/run-llama/flow-maker/commit/95784990b723bdf956e261008d43deb9bc84e927) Fix React Server Components CVE vulnerabilities ### 📊 Changes **2 files changed** (+56 additions, -44 deletions) <details> <summary>View changed files</summary> 📝 `package-lock.json` (+55 -43) 📝 `package.json` (+1 -1) </details> ### 📄 Description > [!IMPORTANT] > This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our [guidance](https://vercel.link/additional-checks) before merging these changes. A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project [flow-maker](https://vercel.com/llama-index/flow-maker). The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol. This issue is tracked under: - GitHub Security Advisory: [GHSA-9qr9-h5gf-34mp](https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp) - React Advisory: [CVE-2025-55182](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) - Next.js Advisory: [CVE-2025-66478](https://nextjs.org/blog/CVE-2025-66478) This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue. [More Info](https://vercel.link/cve-2025-55182-automated-pr) | security@vercel.com --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-02-16 03:15:30 -05:00
yindo closed this issue 2026-02-16 03:15:30 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: run-llama/flow-maker#4