Created
December 12, 2025 17:15
-
-
Save sjarmak/b8e26c021d839318d3c6fcb3c5cdf869 to your computer and use it in GitHub Desktop.
Batch Change spec for remediating newly disclosed React Server Components vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779). Detects all vulnerable and partially patched React 19.x react-server-dom-* dependencies and upgrades them to the final safe patch releases: 19.0.3, 19.1.4, and 19.2.3.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| version: 2 | |
| name: react-rsc-cve-2025-55183-55184-67779 | |
| description: > | |
| Remediate newly disclosed React Server Components vulnerabilities by upgrading | |
| react-server-dom-* packages to the final safe patch releases that fix: | |
| CVE-2025-55183 (source code exposure), CVE-2025-55184 (DoS), and | |
| CVE-2025-67779 (DoS). | |
| on: | |
| - repositoriesMatchingQuery: > | |
| context:global | |
| file:package.json | |
| "react-server-dom-(webpack|parcel|turbopack)":\s*"[~^]?(19\.[0-2]\.[0-2])" | |
| steps: | |
| - run: | |
| container: node:20 | |
| commands: | |
| - npm install | |
| - | | |
| node -e ' | |
| const fs = require("fs"); | |
| const files = ["package.json"]; | |
| const replacements = { | |
| "react-server-dom-webpack": { | |
| "19.0.0": "19.0.3", | |
| "19.0.1": "19.0.3", | |
| "19.0.2": "19.0.3", | |
| "19.1.0": "19.1.4", | |
| "19.1.1": "19.1.4", | |
| "19.1.2": "19.1.4", | |
| "19.1.3": "19.1.4", | |
| "19.2.0": "19.2.3", | |
| "19.2.1": "19.2.3", | |
| "19.2.2": "19.2.3" | |
| }, | |
| "react-server-dom-parcel": { | |
| "19.0.0": "19.0.3", | |
| "19.0.1": "19.0.3", | |
| "19.0.2": "19.0.3", | |
| "19.1.0": "19.1.4", | |
| "19.1.1": "19.1.4", | |
| "19.1.2": "19.1.4", | |
| "19.1.3": "19.1.4", | |
| "19.2.0": "19.2.3", | |
| "19.2.1": "19.2.3", | |
| "19.2.2": "19.2.3" | |
| }, | |
| "react-server-dom-turbopack": { | |
| "19.0.0": "19.0.3", | |
| "19.0.1": "19.0.3", | |
| "19.0.2": "19.0.3", | |
| "19.1.0": "19.1.4", | |
| "19.1.1": "19.1.4", | |
| "19.1.2": "19.1.4", | |
| "19.1.3": "19.1.4", | |
| "19.2.0": "19.2.3", | |
| "19.2.1": "19.2.3", | |
| "19.2.2": "19.2.3" | |
| } | |
| }; | |
| for (const file of files) { | |
| if (!fs.existsSync(file)) continue; | |
| const json = JSON.parse(fs.readFileSync(file, "utf8")); | |
| for (const section of ["dependencies", "devDependencies"]) { | |
| if (!json[section]) continue; | |
| for (const dep of Object.keys(replacements)) { | |
| if (!json[section][dep]) continue; | |
| const current = json[section][dep].replace(/^[^0-9]*/, ""); | |
| if (replacements[dep][current]) { | |
| json[section][dep] = "^" + replacements[dep][current]; | |
| } | |
| } | |
| } | |
| fs.writeFileSync(file, JSON.stringify(json, null, 2) + "\n"); | |
| } | |
| ' | |
| - npm install | |
| changesetTemplate: | |
| title: "Upgrade react-server-dom-* to final safe patches (CVE-2025-55183/55184/67779)" | |
| body: | | |
| This change upgrades React Server Components dependencies to the final safe | |
| patch releases that address newly disclosed vulnerabilities: | |
| - CVE-2025-55184 (DoS) | |
| - CVE-2025-67779 (DoS) | |
| - CVE-2025-55183 (Source code exposure) | |
| Note: intermediate patch versions (19.0.2, 19.1.3, 19.2.2) are still | |
| vulnerable to the DoS issues. This update aligns all repositories with the | |
| definitive fixes: 19.0.3, 19.1.4, and 19.2.3. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment