React Flight / Next.js RCE Advisory - Vulnerability Fix and Update Report
## Summary
The umami repository was affected by the React Flight / Next.js RCE advisory. The repository had Next.js 15.5.3, which is vulnerable. This has been updated to the patched version 15.5.7.
## Affected Package Detection
Inspected all package.json files in the repository:
- Root package.json: ./package.json
- Monorepo: Not a monorepo (pnpm workspace configured but only root package.json with meaningful dependencies)
## Changes Applied
### Next.js Vulnerability Fix
✅ **PATCHED** - Updated next from 15.5.3 to 15.5.7
- Previous version: next@15.5.3 (vulnerable)
- Updated version: next@15.5.7 (patched)
- This is the correct patch version for the 15.5.x line per the advisory
- Addresses the React Flight RCE vulnerability (CVE impact on Next.js)
### React Flight Packages Status
✅ **NOT AFFECTED** - Project does not use React Flight packages
- Project does NOT use react-server-dom-webpack
- Project does NOT use react-server-dom-parcel
- Project does NOT use react-server-dom-turbopack
- No React Flight specific patches required
### React & React-DOM Status
✅ **NO MANUAL CHANGES NEEDED** - Project uses React 19.2.0 and React-DOM 19.2.0
- These versions remain unchanged (correctly per the advisory)
- react and react-dom themselves are not vulnerable
- Next.js 15.5.7 provides the necessary security patches
- Per the advisory: "For Next.js projects, do not manually upgrade react or react-dom"
## Files Modified
1. **package.json**
- Changed: `"next": "15.5.3"` → `"next": "15.5.7"`
2. **pnpm-lock.yaml**
- Updated dependency locks to reflect Next.js 15.5.7
- Cleaned up unused transitive dependencies (previous versions of sharp and emnapi)
## Verification Performed
✅ **Build Verification**: Next.js build completed successfully with `npm run build-app`
- Output shows all pages compiled correctly
- No build errors introduced by the package update
✅ **Lockfile Verification**: pnpm-lock.yaml correctly resolves to:
- next@15.5.7 (with expected dependencies)
- react@19.2.0 (unchanged as recommended)
- react-dom@19.2.0 (unchanged as recommended)
## Conclusion
The vulnerability has been successfully patched. The repository now uses the secure version of Next.js (15.5.7) that addresses the React Flight RCE advisory. The build completes successfully, confirming compatibility with the patched version.
No other changes were required as the project does not use any React Flight packages.
Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com>
