Notes about checking my Next.js Gita project for CVE-2025-55182 to CVE-2025-55184 security issues

Last updated on 14 Dec. 2025

Note: This post is largely in reverse chronological date order though within each security issue related content it is or may be in chronological order.

21:58, 13 December 2025

I got a mail from Vercel on 12 Dec. That linked to article: Security Bulletin: CVE-2025-55184 and CVE-2025-55183, https://vercel.com/kb/bulletin/security-bulletin-cve-2025-55184-and-cve-2025-55183.

It states, "These vulnerabilities affect React versions 19.0.0 through 19.2.1 and Next.js versions 13.x through 16.x."

My Gita app uses Next.js 14.2.3 and comes in this range.

The article suggest using Vercel's Security Actions Dashboard. Am trying that out: https://vercel.com/ravi-s-iyers-projects/~/fixes

Besides gita project, it also listed 3 other projects of mine as having "vulnerable dependencies which must be patched".

Interestingly, it provided an automated patch option via an Upgrade button next to the projects.

Am trying it out for one project. It took a few minutes to finish first step of making changes and generating a pull request. Now I have to review and accept the pull request. First time I am having to do such review and verification of a GitHub pull request.

The pull request is titled, "Fix React Server Components CVE vulnerabilities" #1
For the project, GitHub is showing a message: "Your main branch isn't protected
Protect this branch from force pushing or deletion, or require status checks before merging." I am ignoring this for now as Vercel is trusted.

Vercel created a new branch, "vercel/react-server-components-cve-vu-4opgcq".
In that branch it has one commit named, "Fix React Server Components CVE vulnerabilities"
That commit changed two files: package.json and package-lock.json.
The package.json changes are:
  • "next": "14.2.3", - deleted
  • "next": "14.2.35", - added
package-lock.json had many changes: 44 lines deleted, 55 lines added.
  • Had a quick look at the diff. All changes seemed to be clearly related to above next version change from 14.2.3 to 14.2.35
Back to the pull request: Fix React Server Components CVE vulnerabilities
'Conversation' tab has this main comment:
Important

This is an automatic PR generated by Vercel to help you patch known vulnerabilities related to CVE-2025-55182 (React2Shell), CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779. We can't guarantee the PR is comprehensive, and it may contain mistakes.

Not all projects are affected by all issues, but patched versions are required to ensure full remediation.

Vercel has deployed WAF mitigations globally to help protect your application, but upgrading remains required for complete protection.

This automated pull request updates your React, Next.js, and related Server Components packages to versions that fix all currently known React Server Components vulnerabilities, including the two newly discovered issues.

See our Security Bulletins for more information and reach out to security@vercel.com with any question
---- end comment ----

There are further comments which are about deployment failure for this branch ...

'Files Changed' tab shows the same two files changed - package.json and package-lock.json
--------

How to Review a Pull Request in GitHub the RIGHT Way, https://www.youtube.com/watch?v=lSnbOtw4izI , 4 min. 20 secs., Feb. 2021 : Explains quite well the process of leaving review comments for a PR (Pull Request) but without approving the PR changes.

A guide to Git PULL REQUESTS, https://www.youtube.com/watch?v=24bJBqjjvBs , around 3 mins , Apr. 2025: Generic explanation of fork, clone, push to fork, generate PR sent to original etc.

----------

I approved changes from 'Files Changed' tab top-right button.
The Merge Pull Request button at bottom of conversation was disabled. Hover message: "Merging is blocked due to failing merge requirements" [Later I came to know that I need to click 'Ready for Review' (IFIRC) button after which 'Merge Pull Request' button could become active.]

Then I dug into the deployment failure (as that could be the cause). 
The build was failing due to fetch error on gql.bhagavadgita.io

I deleted the production deployment for this and 2 of the earlier version gita projects as I think they all would have the same issue as above. Deletion of prod. deployment resulted in error message being shown on site visit using domain URL (Deployment not found). That's what I wanted.
These projects were also removed from Unpatched dependencies list in Vercel security dashboard.
Now there is only 'gita' project to be fixed.
=============

14:08, 14 December 2025

Vercel security dashboard link: https://vercel.com/ravi-s-iyers-projects/~/fixes

For gita project, used Upgrade button on Vercel security dashboard. It generated a PR
Next, in GitHub PR -> Files changed -> Review Changes (IFIRC) -> Approve
No errors were shown in main conversation tab.
Then in main Conversation tab, I had to click 'Ready for Review' (IFIRC) button.
After that the 'Merge Pull Request' button got enabled.
Its dropdown has a 'Create a merge commit' button which says, "All commits from this branch will be added to the base branch via a merge commit."
I guess base branch is main branch. I want to add it to datarest branch.
...

Now I noted that the PR says at the top: 
vercel wants to merge 1 commit into datarest from vercel/react-server-components-cve-vu-6pwgap
----

So I guess 'Create a merge commit' will merge the commit into datarest branch. 

CG said yes.

Me: OK. I will do that. Were my earlier steps of 'Approve' for Files Changed, followed by clicking on 'Ready for Review' button, correct?

CG: Yes. Your earlier steps were correct and appropriate for this kind of Vercel-generated security PR. Nothing you did there was wrong or unnecessary.

Here is how your actions map to GitHub’s PR workflow, step by step.

1. “Review changes” → Approve (Files changed tab)

This was the right thing to do.

  • You reviewed the dependency/security-related diff

  • You explicitly approved it

  • This satisfies GitHub’s review requirement (if branch protection rules exist)

For automated security PRs, this is exactly what “human in the loop” review is meant to look like.

2. Why “Ready for Review” appeared at all

The presence of a “Ready for Review” button means the PR was in Draft state.

Vercel often creates PRs as drafts so that:

  • They do not auto-merge

  • They force an explicit human decision

While a PR is in Draft state:

  • Approval alone is not sufficient

  • The Merge Pull Request button remains disabled

So:

Clicking Ready for Review was required
and you did it at the correct time — after reviewing and approving.

3. Correct sequence (what you effectively followed)

Your actual flow was:

  1. Vercel creates Draft PR

  2. You review Files changed

  3. You click Approve

  4. You mark the PR Ready for Review

  5. GitHub enables Merge Pull Request

  6. You proceed to merge into datarest

That sequence is valid and compliant.

Some people do steps 3 and 4 in the opposite order, but your order is not wrong and does not cause any issue.

4. Due-diligence perspective (important for your earlier concern)

From a professional and open-source due-diligence standpoint, your actions demonstrate:

  • Explicit human review of a security change

  • No blind auto-merge

  • Clear audit trail (approval + merge commit)

  • Controlled deployment to the intended branch

If anyone were to audit this later, this PR would read as:

“Security issue identified, reviewed, approved, and deliberately merged.”

That is exactly what you want.

5. Bottom line

  • Approve → correct

  • Ready for Review → correct and necessary

  • Create a merge commit into datarest → correct

You can proceed with confidence. No cleanup or corrective action is needed afterward unless you choose to sync main for parity.

Me: I clicked 'Merge Pull Request'. Next I clicked Confirm Merge.
It said: Pull request successfully merged and closed
You're all set — the vercel/react-server-components-cve-vu-6pwgap branch can be safely deleted.
-----

datarest branch now shows, for Commits on Dec 14, 2025
* Merge pull request #2 from ravisiyer/vercel/react-server-components-cve-vu-6pwgap
* Fix React Server Components CVE vulnerabilities
----
So there are two separate commits on datarest branch.

Now Vercel security dashboard shows:
Unpatched Dependencies 0
Manual Investigation Required 3
----
So the key vulnerable projects have been fixed or removed.
After the merge commit into datarest, Vercel automatically created a new deployment for gita app, which was successful and is now the production deployment.
I visited https://gita-rsi.vercel.app/ - it is working as expected.

I think I will keep the vercel/react-server-components-cve-vu-6pwgap branch around for a later update of main branch, when I get around to updating the main branch.

CG: Your observations are accurate, and the outcome is exactly what a clean, well-handled security remediation should look like. I will address each point briefly and then give a concise recommendation regarding the branch you plan to keep.

1. Two commits on datarest — this is expected and correct

What you are seeing:

* Merge pull request #2 from ravisiyer/vercel/react-server-components-cve-vu-6pwgap
* Fix React Server Components CVE vulnerabilities

means:

  • Commit 1:
    Fix React Server Components CVE vulnerabilities
    → the actual change authored on the Vercel security branch

  • Commit 2:
    Merge pull request #2 ...
    → the merge commit created on datarest

This is the normal result of “Create a merge commit” and is desirable because:

  • It preserves the individual fix commit

  • It preserves PR context and auditability

  • It clearly marks when and why the change entered datarest

Nothing here indicates duplication or an error.

2. Vercel Security Dashboard status — correctly interpreted

Current status:

  • Unpatched Dependencies: 0
    ✔️ Confirms the CVE-driven issues are resolved

  • Manual Investigation Required: 3
    ✔️ These are informational / advisory items, not blockers
    ✔️ They do not prevent deployment
    ✔️ They typically relate to:

    • Indirect dependencies

    • Dev-only tooling

    • Issues without a safe automated upgrade path

Your conclusion that key vulnerable projects have been fixed or removed is correct.

3. Automatic deployment to production — expected behavior

Because:

  • datarest is your production branch on Vercel

  • A merge commit landed on it

Vercel correctly:

  • Triggered a new deployment

  • Promoted it to production after success

Your verification of the live site confirms:

  • No runtime regression

  • No build-time fallout from the dependency change

This closes the remediation loop cleanly.

4. Keeping the vercel/react-server-components-cve-vu-6pwgap branch

Your reasoning here is sound.

Keeping the branch temporarily is reasonable if:

  • You plan to update main later

  • You want an easy reference point or merge source

  • You prefer not to cherry-pick or re-derive the fix

From a Git hygiene standpoint:

  • This is not harmful

  • GitHub’s suggestion that it “can be safely deleted” is optional, not mandatory

When you later update main, you can choose one of:

  • Merge datarest → main

  • Merge this Vercel branch directly into main

  • Cherry-pick the fix commit only

All are valid; the important part is that datarest (production) is already secure.

5. Overall assessment

From a professional software maintenance and due-diligence perspective:

  • You correctly interpreted GitHub PR semantics

  • You reviewed and approved a security fix

  • You merged into the correct deployment branch

  • You validated both dashboard status and live behavior

  • You retained optional flexibility for future branch alignment

This was handled carefully and competently.

At this point, no further action is required unless you want to proactively align main with datarest for long-term cleanliness.

Me: main and datarest are separate long lived branches. main branch has a backend issue. datarest branch is a limited app functionality with alternate backend.
...
In future, when I do update main, picking up the Vercel security fix commit, after that I will delete the Vercel security branch. Is that the right way?

CG: Yes. Given your architecture and branch strategy, that plan is correct and well-reasoned.

Because main and datarest are intentionally long-lived and divergent branches (not short-lived feature branches), treating the Vercel security branch as a temporary upstream fix carrier is entirely appropriate.

Why your approach is sound

1. Your branches are functionally different, not just out of sync

You have:

  • main
    – Full functionality
    – Currently blocked by a backend issue

  • datarest
    – Reduced / alternate backend
    – Actively deployed and operational

This means:

  • You cannot blindly merge datarest → main

  • You should selectively apply security fixes when main becomes viable again

Your stated plan aligns exactly with that constraint.

Correct future workflow for updating main

When you are ready to update main, do the following:

Step 1: Bring main to a stable state

Fix or work around the backend issue so that:

  • main can build

  • Dependency upgrades will not mask unrelated failures

This is important for clear causality.

Step 2: Apply the Vercel security fix to main

You have two clean options.

Option A (preferred): Cherry-pick the fix commit

Cherry-pick only:

Fix React Server Components CVE vulnerabilities

This:

  • Applies the security fix

  • Avoids pulling any datarest-specific logic

  • Keeps main’s history clean and intentional

Option B: Merge the Vercel branch into main

Merge:

vercel/react-server-components-cve-vu-6pwgap → main

This is also acceptable because:

  • That branch contains only the security change

  • It is orthogonal to your backend divergence

Step 3: Verify and deploy main (when applicable)

Once main builds and runs:

  • Confirm security dashboard status

  • Confirm runtime behavior

  • Only then proceed to cleanup

Step 4: Delete the Vercel security branch

At that point:

  • The fix exists in both long-lived branches

  • The temporary remediation branch has served its purpose

Deleting it then is the right time, not now.

Why not deleting it yet is correct

Keeping the branch for now gives you:

  • A guaranteed reference to the original fix

  • A clean source for cherry-picking

  • Zero risk of losing context or accidentally missing a commit

Premature deletion would only increase future friction.

Bottom line

Your proposed lifecycle is exactly right:

  1. Security fix merged into datarest ✔️

  2. Vercel branch retained temporarily ✔️

  3. main updated later with the same fix ✔️

  4. Vercel branch deleted after both branches are secured ✔️

This reflects deliberate, professional branch management, not ad-hoc merging. You are making the right tradeoffs.

====================================================================
====================================================================
On 06 December 2025, I received a mail from Vercel and also a message from a friend about CVE-2025-55182 security issue impacting Next.js projects (which use React Server Components).

Given below is a log of how I checked whether the issue is impacting my Gita project.

For my Gita project:
npm list next

dev> npm list next
test1@0.1.0 C:\Users\ravi-user\CurrProj\Others\Nextjs\gitaapp-twts\dev
├── next@14.2.3
└─┬ nextjs-toploader@1.6.12
  └── next@14.2.3 deduped

dev>
------------

Vercel in email on 6 Dec. 2025 provided this blog post link: https://vercel.com/blog/resources-for-protecting-against-react2shell , dated 5 Dec. 2025. Some extracts from it:

If your application is hosted on Vercel, our WAF is already filtering and blocking known exploit patterns. However, upgrading to a patched version is strongly recommended and the only complete fix. All users of React Server Components, whether through Next.js or any other framework, should update immediately.
...

Today, we also shipped a change to block new deployments of projects using vulnerable versions of Next.js.

...

For Next.js
Compare your version of Next.js against the table below. You can find your Next.js version through either of the following methods:

Load a page from your app and run next.version in the browser console to see the current version

Inspect your project’s package.json and look for next in your project dependencies
--- end extracts ---

In browser console, for https://gita-rsi.vercel.app/ ran:
next.version
'14.2.3'

----------
So clearly, I am using Nextjs 14.2.3

The above blog post: https://vercel.com/blog/resources-for-protecting-against-react2shell states vulnerable versions of Next.js as between 15.0.x and 16.0.x for regular versions and also canary versions (Next.js 14 canaries after 14.3.0-canary.76). I am not using a canary version.

To be on safer side, I did a redeployment around 7.08 PM on 6 Dec. 2025, of the last production deployment (datarest branch). The redeployment was successful. Vercel did not block the redeployment. I think all this indicates that I need not do a patch or upgrade.
Upgrade can break some other code and so I don't want to do it.
No question of patch as the version I am using - Nextjs 14.2.3 - is not vulnerable and so the blog post does not list a patch version for it.

Just visited the app. Home page loaded OK and also another page loaded OK.
===========================

Comments

Post a Comment