Pre-patch React canaries in patched Next.js versions (CVE-2025-55182)

[jonaseriksson84]

Link to the code that reproduces this issue

https://github.com/jonaseriksson84/verify-nextjs-react-versions/tree/main

To Reproduce

For example:

npm pack next@15.2.6 --silent 
tar -xzf next-15.2.6.tgz 
grep -oE '19\.[0-9]+\.[0-9]+-[a-z]+-[a-f0-9]+-[0-9]+' package/dist/compiled/next-server/app-page.runtime.prod.js | sort -u

With the result:
19.1.0-canary-029e8bd6-20250306

Current vs. Expected behavior

Current
Linked script that checks each of the patched Next.js versions will result in:

next-15.0.5.tgz: 19.0.0-rc-66855b96-20241106
next-15.1.9.tgz: 19.0.0-rc-65e06cb7-20241218
next-15.2.6.tgz: 19.1.0-canary-029e8bd6-20250306
next-15.3.6.tgz: 19.2.0-canary-3fbfb9ba-20250409
next-15.4.8.tgz: 19.2.0-canary-97cdd5d3-20250710
next-15.5.7.tgz: 19.2.0-canary-0bdb9206-20250818
next-16.0.7.tgz: 19.3.0-canary-52684925-20251110

Expected
React versions 19.0.1, 19.1.1 19.2.1, or at least React versions released 2025-12-03 or later.

Provide environment information

Operating System:
  Platform: linux
  Arch: x64
  Version: #1 SMP Tue Nov 5 00:21:55 UTC 2024
  Available memory (MB): 64146
  Available CPU cores: 32
Binaries:
  Node: 20.11.1
  npm: 10.2.4
  Yarn: 1.22.22
  pnpm: 9.15.9
Relevant Packages:
  next: 15.2.6 // An outdated version detected (latest is 16.0.7), upgrade is highly recommended!
  eslint-config-next: N/A
  react: 18.3.1
  react-dom: 18.3.1
  typescript: N/A
Next.js Config:
  output: N/A

Which area(s) are affected? (Select all that apply)

Server Actions

Which stage(s) are affected? (Select all that apply)

Other (Deployed)

Additional context

According to Next.js Security Advisory the following versions are patched:
15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

But when looking at the source files themselves, more specifically in dist/compiled/next-server/app-page.runtime.prod.js it looks like they ship with unpatched versions of React.

From what I understand, the app router in production uses dist/compiled/next-server/app-page.runtime.prod.js in production, and that this file specifically is what would handle server actions? Since the version strings in these files don't match the officially patched versions it makes me confused.

I'm not sure if:

• The fix is in these specific canary commits despite the version numbering
• The fix is implemented differently at the Next.js layer
• I'm looking at the wrong thing entirely

Appreciate any advice or pointers to confirm these patched versions are safe from the exploit, even though the version number looks off?

[icyJoseph]

The patched packages are:

• packages/next/src/compiled/react-server-dom-webpack
• packages/next/src/compiled/react-server-dom-turbopack

Or, the compiled/vendored in version rather. That's where the vulnerable code was, and that's what's been patched.

As per https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components:

The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:

react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack

The vendored version you find to in your search, is for packages/next/src/compiled/react which is not compromised.

• https://github.com/vercel/next.js/blob/v15.2.6/packages/next/src/compiled/react/cjs/react.production.js#L546