DEV Community

Cover image for Upgrade Your React Apps!!!
DrPrime01
DrPrime01

Posted on

Upgrade Your React Apps!!!

#nextjs #react #security #vulnerabilities

React reported a CVSS 10 vulnerability on December 3, allowing unauthenticated remote code execution in React apps that use React server functions and possibly components. The vulnerability exploits a flaw in how React decodes the payload sent via server-side function endpoints.

The vulnerability affects apps that use React under the hood. The frameworks and bundlers affected include: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk.

CVSS 10 is the highest critical rating a security flaw can receive, so it's crucial to treat the warning seriously and update all your apps, as the React team has rolled out fixes.

For React Router,

npm install react@latest
npm install react-dom@latest
npm install react-server-dom-parcel@latest
npm install react-server-dom-webpack@latest
npm install @vitejs/plugin-rsc@latest
Enter fullscreen mode Exit fullscreen mode

For Next apps of version 15 and above,

npm install next@15.0.5   // for 15.0.x
npm install next@15.1.9   // for 15.1.x
npm install next@15.2.6   // for 15.2.x
npm install next@15.3.6   // for 15.3.x
npm install next@15.4.8   // for 15.4.x
npm install next@15.5.7   // for 15.5.x
npm install next@16.0.7   // for 16.0.x
Enter fullscreen mode Exit fullscreen mode

If you use Next.js 14.3.0-canary.77 or a later canary release, downgrade your app to the latest stable update.

npm install next@14
Enter fullscreen mode Exit fullscreen mode

For Redwood SDK of rwsdk>=1.0.0-alpha.0,

npm install rwsdk@latest // for the latest beta version
Enter fullscreen mode Exit fullscreen mode

and upgrade to the latest react-server-dom-webpack,

npm install react@latest react-dom@latest react-server-dom-webpack@latest
Enter fullscreen mode Exit fullscreen mode

For Waku, upgrade to the latest react-server-dom-webpack.

npm install react@latest react-dom@latest react-server-dom-webpack@latest waku@latest
Enter fullscreen mode Exit fullscreen mode

For @vitejs/plugin-rsc, move up to the latest RSC plugin.

npm install react@latest react-dom@latest @vitejs/plugin-rsc@latest
Enter fullscreen mode Exit fullscreen mode

If you use react-server-dom-parcel, react-server-dom-turbopack, or react-server-dom-webpack in any of your applications, update to their latest versions:

npm install react@latest react-dom@latest *

/* * can be react-server-dom-parcel@latest, or react-server-dom-turbopack@latest, or react-server-dom-webpack@latest */
Enter fullscreen mode Exit fullscreen mode

If you see a banner on Vercel pointing out a vulnerability in your deployed app, that is a cue to update.

Read the official React blog for more information about the blog.

Stay safe!!!

Top comments (0)