Skip to content

Sync with react.dev @ abe931a8 #567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
react-translations-bot wants to merge 54 commits into
base: main
Choose a base branch
from
Open

Sync with react.dev @ abe931a8 #567

Changes from 1 commit
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
b440d66
fix(links): update internal links (#8136)
okeken Nov 10, 2025
27576f1
fix(useTransition): correct anchors pointing to non-blocking updates …
SecondThundeR Nov 14, 2025
2534424
fix: Stop SmartyPants from altering TerminalBlock commands (like `--s…
smikitky Nov 15, 2025
4704ce6
blog post (#8170)
rickhanlonii Dec 3, 2025
9c880bd
fix: use correct function name (#8171)
FelixTraxler Dec 3, 2025
e2b59da
add update instructions (#8172)
rickhanlonii Dec 3, 2025
0828d50
Update React releases (#8173)
eps1lon Dec 3, 2025
ac47e52
Update upgrade instructions for React Server Components (Waku section…
dai-shi Dec 4, 2025
d8b1fe8
Upgrade Next from 15.1.0 to 15.1.9 (#8175)
mattcarrollcode Dec 4, 2025
5876ed5
blog: update RSC security vulnerability guidance for Expo (#8177)
vonovak Dec 5, 2025
e22544e
Add Vulnerability in React Server Components to sidebarBlog.json (#8178)
SSakutaro Dec 5, 2025
cffb6a7
Specify that Effects run on commit, not render (#8162)
eps1lon Dec 11, 2025
2a0fed0
12/11 blog post (#8193)
rickhanlonii Dec 11, 2025
1a955f0
rm localhost link (#8194)
rickhanlonii Dec 11, 2025
72f8998
Update instructions (#8195)
rickhanlonii Dec 11, 2025
e44d3b7
Add additional DoS CVE (#8196)
rickhanlonii Dec 11, 2025
9527378
update nextjs instructions (#8197)
rickhanlonii Dec 12, 2025
1e74023
[Blog] Update safe Next.js versions (#8199)
mattcarrollcode Dec 12, 2025
2da4f7f
Update to Next.js 15.1.11 (#8200)
mattcarrollcode Dec 12, 2025
a1ddcf5
Add caveat to useId for cache keys (#8242)
rickhanlonii Jan 16, 2026
ed87618
Update DoS blog post with additional CVE (#8263)
rickhanlonii Jan 26, 2026
303e6b4
Init claude config (#8265)
rickhanlonii Jan 27, 2026
3938fbf
Update deps (#8268)
rickhanlonii Jan 28, 2026
dcc5deb
Add llms.txt (#8267)
gaearon Jan 28, 2026
61b1f51
Add sections to llms.txt and sitemap footer to *.md (#8270)
rickhanlonii Jan 28, 2026
d340c41
Remove feedback (#8271)
rickhanlonii Jan 28, 2026
a2a19ba
feat: Add Accept header content negotiation for markdown (#8272)
icyJoseph Jan 28, 2026
ec13a90
remove outdated note about streaming ssr (#8277)
hernan-yadiel Jan 29, 2026
24ec67e
fix: use beforeFiles (#8276)
icyJoseph Jan 30, 2026
29743d0
Revamp useOptimistic docs (#8264)
rickhanlonii Jan 30, 2026
4c52ab8
Update separating-events-from-effects.md (#8257)
wheresrhys Jan 30, 2026
38b52cf
More claude stuff (#8280)
rickhanlonii Jan 30, 2026
ff17a86
fix: correct typos and improve clarity in useOptimistic.md (#8283)
aurorascharff Feb 2, 2026
e05afa5
useEffectEvent revamp (#8279)
rickhanlonii Feb 4, 2026
bd87c39
Rephrase the rendering explanation paragraph (#8240)
BartoszKlonowski Feb 5, 2026
f653b03
Add .worktrees/ to .gitignore (#8297)
rickhanlonii Feb 10, 2026
46e040e
Fix date of CVE-2026-23864 (2025 => 2026) (#8302)
smikitky Feb 11, 2026
a19c98d
Fix confusion around Activity with text children (#8304)
eps1lon Feb 12, 2026
55a317d
Rewrite useActionState (#8284)
rickhanlonii Feb 15, 2026
a1cc2ab
Added missing prop to useActionState example (#8308)
JakeSaterlay Feb 17, 2026
c2aa350
Expand ViewTransition callback props reference documentation (#8306)
rickhanlonii Feb 23, 2026
68ff8c8
Add blog post: Launching the React Foundation (#8318)
mattcarrollcode Feb 24, 2026
e8ef063
Update logo credit link in uwu mode console log (#8315)
Cheesecake2960 Feb 25, 2026
dfa152b
[ViewTransition] Add docs for using with Activity (#8320)
rickhanlonii Feb 25, 2026
11e4ad5
Add /write command (#8327)
rickhanlonii Feb 27, 2026
427f24d
Add RSC Sandboxes (#8300)
rickhanlonii Feb 28, 2026
180364f
Add Copy Page button (#8341)
gaearon Mar 8, 2026
449d62c
Add ZurichJS Conference 2026 to community conferences
farisaziz12 Mar 8, 2026
7c90c6e
Update conferences: move past events (Sep 2025 – Feb 2026) to Past se…
aurorascharff Mar 8, 2026
40ea071
Fix copy button on Safari
gaearon Mar 9, 2026
1207ee3
fix: markdown rewrite excludes api/md paths (#8379)
icyJoseph Mar 31, 2026
e377252
Add no-trailing-spaces ESLint rule (#8356)
mattcarrollcode Apr 8, 2026
abe931a
fix: replace Imgur-hosted images with self-hosted assets (#8402)
travisbreaks Apr 9, 2026
028bcf6
merging all conflicts
react-translations-bot Apr 27, 2026
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add update instructions (#8172)
  • Loading branch information
@rickhanlonii
rickhanlonii authored Dec 3, 2025
commit e2b59dab82146834e5e84911fb2ad4973d88cab9
112 changes: 110 additions & 2 deletions ...t/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,19 +44,127 @@ Some React frameworks and bundlers depended on, had peer dependencies for, or in

We will update this post with upgrade instructions on how to upgrade as they become available.

### Hosting Provider Mitigations {/*hosting-provider-mitigations*/}

We have worked with a number of hosting providers to apply temporary mitigations.

You should not depend on these to secure your app, and still update immediately.

### Vulnerability overview {/*vulnerability-overview*/}

[React Server Functions](https://react.dev/reference/rsc/server-functions) allow a client to call a function on a server. React provides integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React translates requests on the client into HTTP requests which are forwarded to a server. On the server, React translates the HTTP request into a function call and returns the needed data to the client.

An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.

### Timeline {/*timeline*/}
## Update Instructions {/*update-instructions*/}

### Next.js {/*update-next-js*/}

All users should upgrade to the latest patched version in their release line:

```bash
npm install next@15.0.5 // for 15.0.x
npm install next@15.1.9 // for 15.1.x
npm install next@15.2.6 // for 15.2.x
npm install next@15.3.6 // for 15.3.x
npm install next@15.4.8 // for 15.4.x
npm install next@15.5.7 // for 15.5.x
npm install next@16.0.7 // for 16.0.x
```

If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:

```bash
npm install next@14
```

See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.

### React Router {/*update-react-router*/}

If you are using React Router's unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:

```bash
npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest
```

### Expo {/*expo*/}

Upgrade to the latest `react-server-dom-webpack`:

```bash
npm install react@latest react-dom@latest react-server-dom-webpack@latest
```

### Redwood SDK {/*update-redwood-sdk*/}

Ensure you are on rwsdk>=1.0.0-alpha.0

For the latest beta version:

```bash
npm install rwsdk@latest
```

Upgrade to the latest `react-server-dom-webpack`:

```bash
npm install react@latest react-dom@latest react-server-dom-webpack@latest
```

See [Redwood docs](https://docs.rwsdk.com/migrating/) for more migration instructions.

### Waku {/*update-waku*/}

Upgrade to the latest `react-server-dom-webpack`:

```bash
npm install react@latest react-dom@latest react-server-dom-webpack@latest
```

### `@vitejs/plugin-rsc` {/*vitejs-plugin-rsc*/}

Upgrade to the latest RSC plugin:

```bash
npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
```

### `react-server-dom-parcel` {/*update-react-server-dom-parcel*/}

Update to the latest version:

```bash
npm install react@latest react-dom@latest react-server-dom-parcel@latest
```

### `react-server-dom-turbopack` {/*update-react-server-dom-turbopack*/}

Update to the latest version:

```bash
npm install react@latest react-dom@latest react-server-dom-turbopack@latest
```

### `react-server-dom-webpack` {/*update-react-server-dom-webpack*/}

Update to the latest version:

```bash
npm install react@latest react-dom@latest react-server-dom-webpack@latest
```

## Timeline {/*timeline*/}

* **November 29th**: Lachlan Davidson reported the security vulnerability via [Meta Bug Bounty](https://bugbounty.meta.com/).
* **November 30th**: Meta security researchers confirmed and began working with the React team on a fix.
* **December 1st**: A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
* **December 3rd**: The fix was published to npm and the publicly disclosed as CVE-2025-55182.

### Attribution {/*attribution*/}
## Attribution {/*attribution*/}

Thank you to [Lachlan Davidson](https://github.com/lachlan2k) for discovering, reporting, and working to help fix this vulnerability.