Notes about checking my Next.js Gita project for CVE-2025-55182 security issue
On 06 December 2025, I received a mail from Vercel and also a message from a friend about CVE-2025-55182 security issue impacting Next.js projects (which use React Server Components).
Given below is a log of how I checked whether the issue is impacting my Gita project.
For my Gita project:
npm list next
dev> npm list next
test1@0.1.0 C:\Users\ravi-user\CurrProj\Others\Nextjs\gitaapp-twts\dev
├── next@14.2.3
└─┬ nextjs-toploader@1.6.12
└── next@14.2.3 deduped
dev>
------------
Vercel in email on 6 Dec. 2025 provided this blog post link: https://vercel.com/blog/resources-for-protecting-against-react2shell , dated 5 Dec. 2025. Some extracts from it:
If your application is hosted on Vercel, our WAF is already filtering and blocking known exploit patterns. However, upgrading to a patched version is strongly recommended and the only complete fix. All users of React Server Components, whether through Next.js or any other framework, should update immediately.
...
Today, we also shipped a change to block new deployments of projects using vulnerable versions of Next.js.
...
For Next.js
Compare your version of Next.js against the table below. You can find your Next.js version through either of the following methods:
Load a page from your app and run next.version in the browser console to see the current version
Inspect your project’s package.json and look for next in your project dependencies
--- end extracts ---
In browser console, for https://gita-rsi.vercel.app/ ran:
next.version
'14.2.3'
----------
So clearly, I am using Nextjs 14.2.3
The above blog post: https://vercel.com/blog/resources-for-protecting-against-react2shell states vulnerable versions of Next.js as between 15.0.x and 16.0.x for regular versions and also canary versions (Next.js 14 canaries after 14.3.0-canary.76). I am not using a canary version.
To be on safer side, I did a redeployment around 7.08 PM on 6 Dec. 2025, of the last production deployment (datarest branch). The redeployment was successful. Vercel did not block the redeployment. I think all this indicates that I need not do a patch or upgrade.
Upgrade can break some other code and so I don't want to do it.
No question of patch as the version I am using - Nextjs 14.2.3 - is not vulnerable and so the blog post does not list a patch version for it.
Just visited the app. Home page loaded OK and also another page loaded OK.
===========================
Comments
Post a Comment