Fix React Server Components RCE vulnerability

[vercel]

Important

This is an automatic PR generated by Vercel to help you with patching efforts. We can't guarantee it's comprehensive, and it may contain mistakes. Please review our guidance before merging these changes.

A critical remote code execution (RCE) vulnerability in React Server Components, impacting frameworks such as Next.js, was identified in the project pro-edit. The vulnerability enables unauthenticated RCE on the server via insecure deserialization in the React Flight protocol.

This issue is tracked under:

• GitHub Security Advisory: GHSA-9qr9-h5gf-34mp
• React Advisory: CVE-2025-55182
• Next.js Advisory: CVE-2025-66478

This automated pull request upgrades the affected React and Next.js packages to patched versions that fully remediate the issue.

More Info | security@vercel.com

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
pro-edit	Ready	Preview	Comment	Dec 11, 2025 6:01pm

[claude]

🔒 Security PR Review - APPROVED

Status: ✅ CRITICAL - APPROVE AND MERGE IMMEDIATELY

---

Security Assessment

This PR addresses critical RCE vulnerabilities:

• CVE-2025-55182 (React): Remote code execution via insecure deserialization in React Flight protocol
• CVE-2025-66478 (Next.js): Related Next.js security issue
• Severity: Enables unauthenticated remote code execution on the server

Patch Quality: ✅ APPROVED

The changes correctly upgrade Next.js from 15.5.5 → 15.5.7 and update all related SWC binaries to patched versions.

---

Code Quality Review

✅ Strengths

1. Comprehensive Updates

   • Main Next.js package updated
   • @next/env properly synchronized
   • All 8 platform-specific SWC binaries updated consistently
   • Lock file integrity hashes properly updated

2. Minimal Surface Area

   • Surgical changes focused only on security patches
   • No extraneous modifications
   • No code changes, only version bumps

3. Trusted Source

   • Automated PR from Vercel security team
   • Well-documented with security advisory links

⚠️ Minor Observation

• eslint-config-next remains at 15.5.5 (package.json:76)
• This is a dev dependency and won't affect the security fix
• Recommendation: Update in a follow-up PR for consistency

---

Test Coverage Recommendations

Before merging, please verify:

# Type check
npm run type-check

# Build verification  
npm run build

# Test suite
npm test

# E2E tests
npm run test:e2e

Manual Testing:

• Authentication flow (Supabase Google OAuth)
• Video upload and preview
• Export functionality

---

Performance & Compatibility

✅ No breaking changes expected

• Same runtime behavior
• Security patch release, not a feature update
• React 19.1.0 compatibility maintained

---

Final Recommendation

🔴 MERGE IMMEDIATELY - DO NOT DELAY

Pre-Merge Checklist:

• Run npm install
• Verify npm run type-check (expect 0 errors)
• Verify npm run build succeeds
• Verify test suite passes
• Test critical user flows

Post-Merge Actions:

1. Deploy to production immediately after CI passes
2. Monitor error logs for 24 hours
3. Create follow-up PR for eslint-config-next update
4. Document security patch in RELEASE_NOTES.md

---

Project Alignment

✅ Changes align with project conventions (docs/CLAUDE.md):

• TypeScript 5.3+ maintained
• React 19 maintained
• Next.js 15 requirement satisfied
• No changes to project structure

---

References

• GitHub Security Advisory
• React Advisory CVE-2025-55182
• Next.js Advisory CVE-2025-66478

---

Reviewed by: Claude Code (Sonnet 4.5)
Review Date: 2025-12-11
Verdict: ✅ APPROVED - SECURITY CRITICAL