Skip to content

Security: Fix React2Shell RCE by upgrading Next.js to 15.5.7 #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Security: Fix React2Shell RCE by upgrading Next.js to 15.5.7 #46

Copilot wants to merge 3 commits into from
+3 −2

Conversation

Copy link

Copilot AI commented Dec 8, 2025
edited
Loading

Next.js 15.1.2 is vulnerable to React2Shell RCE (CVE affecting React flight protocol), DoS via cache poisoning, and authorization bypass in middleware.

Changes

  • Upgraded next from 15.1.2 to 15.5.7 - patches all three vulnerabilities
  • Upgraded @next/mdx to ^15.5.7 for version compatibility
  • Added package-lock.json to .gitignore (project uses pnpm)

Vulnerabilities Fixed

Issue Severity Affected Versions Status
React2Shell RCE Critical 15.1.0-canary.0 to < 15.1.9 ✅ Fixed
Cache poisoning DoS High 15.0.4-canary.51 to < 15.1.8 ✅ Fixed
Middleware auth bypass High 15.0.0 to < 15.2.3 ✅ Fixed

Verified with gh-advisory-database: Next.js 15.5.7 has no known vulnerabilities.

Original prompt

This section details on the original issue you should resolve

<issue_title>Need to check if vulnerable</issue_title>
<issue_description>

schdesign-web/package.json

Line 49 in a37770a

"next": "15.1.2",
</issue_description>

<agent_instructions>Check if next version is not vulnerable recently found React2Shell vulnerability</agent_instructions>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Check if next version is not vulnerable to React2Shell Security: Fix React2Shell RCE by upgrading Next.js to 15.5.7 Dec 8, 2025
Copilot AI requested a review from triszt4n December 8, 2025 01:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@triszt4n triszt4n Awaiting requested review from triszt4n

Assignees

@triszt4n triszt4n

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Need to check if vulnerable

2 participants

@triszt4n