fix: rsc critical vulnerability for react

[MaheshtheDev]

https://nextjs.org/blog/CVE-2025-66478

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
⛔ Deployment terminated View logs	supermemory-app	434522d	Dec 03 2025, 06:35 PM

[MaheshtheDev]

• fix: rsc critical vulnerability for react #602 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add the label Main to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[graphite-app]

Merge activity

• Dec 3, 6:13 PM UTC: Dhravya added this pull request to the Graphite merge queue.
• Dec 3, 6:15 PM UTC: Merged by the Graphite merge queue.

[graphite-app]

[claude]

Security Vulnerability Fix Review

Overview

This PR addresses CVE-2025-66478, a critical Remote Code Execution vulnerability in React Server Components with a CVSS score of 10.0. The fix upgrades Next.js from version 16.0.1 to 16.0.7.

---

✅ Positive Findings

1. Critical Security Issue - Correctly Addressed

• The upgrade to Next.js 16.0.7 is the correct patch version for the 16.0.x line
• This is a mandatory security update with no configuration workarounds
• The vulnerability affects all Next.js 15.x and 16.x versions using App Router with Server Components

2. Minimal, Focused Change

• Only updates the affected dependency (Next.js)
• Lock file changes are consistent with the package.json update
• No unnecessary code modifications that could introduce regressions

3. Appropriate Urgency

• Given the CVSS 10.0 score and potential for remote code execution, this PR should be prioritized for immediate merge and deployment

---

⚠️ Recommendations

1. Test Coverage

Issue: No test files found in apps/web/ directory.

Recommendation: Before merging, manually verify:

• All Server Components render correctly
• No runtime errors in development and production builds
• Core user workflows function as expected (authentication, data fetching, etc.)
• Run bun run build to ensure no build-time errors

Testing commands:

cd apps/web
bun run build          # Verify production build succeeds
bun run dev            # Test in development mode

2. Lock File Integrity

Issue: The bun.lock file shows 623 additions and 63 deletions, which seems larger than expected for a single dependency patch version upgrade.

Recommendation: Verify the lock file changes are legitimate:

# Clean install to verify lock file consistency
rm -rf node_modules bun.lock
bun install
git diff bun.lock  # Should match PR changes

Notable lock file changes observed:

• Added apps/raycast-extension workspace (unexpected - may be from a merge conflict or local changes)
• Updated @supermemory/memory-graph version from 0.1.1 to 0.1.2
• Added multiple TypeScript ESLint and Raycast dependencies

Action required: Confirm these additional changes are intentional or rebase the branch.

3. Deployment Priority

Given the severity:

• Fast-track this PR through review
• Deploy immediately after merge
• Monitor Sentry for any new errors post-deployment
• Consider a rollback plan if issues arise

4. Documentation

Recommendation: Add a brief PR description explaining:

• The vulnerability being addressed
• Why this upgrade is critical
• Link to the official CVE announcement (already included but could be expanded)

---

🔍 Code Quality Assessment

Security ✅

• Excellent: Addresses critical RCE vulnerability
• No introduction of insecure patterns

Dependencies ✅

• Next.js 16.0.7 is the latest patched version
• All Next.js platform-specific packages updated correctly in lock file

Performance ✅

• Patch version update - no expected performance regressions
• May include performance improvements from intermediate patches

Compatibility ⚠️

• Minor concern: Upgrading from 16.0.1 to 16.0.7 skips 5 minor patch versions
• Review Next.js 16.0.x changelog for any breaking changes

---

📋 Pre-Merge Checklist

• Clean the lock file to remove unrelated changes (Raycast extension, memory-graph version bump)
• Run full production build: bun run build
• Manual testing of critical paths
• Review Next.js 16.0.2 through 16.0.7 changelogs for any behavioral changes
• Ensure CI/CD pipeline passes (if configured)
• Plan immediate deployment post-merge

---

🎯 Final Verdict

APPROVE with recommendations: This is a critical security fix that must be merged urgently. However, the lock file contains unexpected changes that should be cleaned up to ensure only the Next.js security patch is included.

Priority: 🔴 Critical - Merge ASAP

---

Additional Notes

Per the CLAUDE.md guidelines:

• This project uses Bun as the package manager ✅
• Uses Biome for linting/formatting (no changes needed here) ✅
• Sentry integration should monitor for any post-deployment issues ✅

Next steps after merge:

1. Deploy to production immediately
2. Monitor Sentry dashboards for 24-48 hours
3. Communicate the security patch to the team
4. Consider setting up automated security vulnerability scanning

---

Great work on addressing this quickly! Let me know if you need help with testing or deployment.

🤖 Generated with Claude Code

[claude]

Security Review - CVE-2025-66478 Patch

✅ Overall Assessment: APPROVED (PR already merged)

This PR addresses a critical security vulnerability (CVSS 10.0) and was correctly prioritized for immediate merge.

---

🔒 Security Analysis

Vulnerability Details:

• CVE-2025-66478 - React Server Components (RSC) protocol vulnerability
• Severity: Critical (CVSS 10.0)
• Impact: Remote code execution via malicious RSC requests
• Affected: Next.js 16.0.1 and other 15.x/16.x versions
• Fix: Upgrade to Next.js 16.0.7 (patched version)

Assessment: ✅ Correctly addressed

• The upgrade from 16.0.1 → 16.0.7 is the exact version required per the official security advisory
• No workarounds exist - upgrade is mandatory
• This affects App Router applications (which supermemory uses)

---

📦 Code Quality & Changes

Primary Changes:

1. apps/web/package.json: Next.js version bump (line 67)
2. bun.lock: Lockfile updates including:
   • All Next.js platform binaries updated to 16.0.7
   • New Raycast extension dependencies added
   • Memory graph package version bump (0.1.1 → 0.1.2)

Observations:

✅ Good:

• Minimal, focused change addressing security vulnerability
• No unnecessary modifications to application code
• Lockfile properly updated with all transitive dependencies

⚠️ Notes:

• Raycast Extension Added: The lockfile shows a new apps/raycast-extension workspace was added with dependencies like @raycast/api, @raycast/utils, and ESLint configs. This appears unrelated to the security fix and may have been inadvertently included.
  • If intentional: Consider separating infrastructure changes from security patches
  • If unintentional: May want to revert these changes
• Memory Graph Bump: Version bump from 0.1.1 → 0.1.2 also appears unrelated
• Lockfile Config: Removed "configVersion": 0 property (likely benign)

---

🧪 Testing & Compatibility

Breaking Changes: ✅ None expected

• Patch versions (16.0.x) should maintain API compatibility
• No API changes documented between 16.0.1 and 16.0.7
• Primary change is security hardening in RSC protocol

Recommended Testing:

• ✅ Verify App Router functionality works as expected
• ✅ Test authentication flows (Better Auth integration)
• ✅ Verify API routes still function correctly
• ✅ Test content upload/search workflows
• ✅ Check Sentry integration still reports correctly

---

🎯 Best Practices Observations

✅ What was done well:

• Rapid response to critical CVE (good security posture)
• Linked to official CVE documentation in PR
• Clean, minimal change scope

💡 Suggestions for future security patches:

1. Separate concerns: Security patches should be isolated from feature additions (Raycast extension)
2. Testing notes: Add manual testing checklist or CI confirmation in PR description
3. Rollback plan: Document rollback procedure for critical patches
4. Changelog: Consider adding entry to CHANGELOG.md for visibility

---

🔍 Dependency Analysis

New Dependencies from Lockfile (Raycast-related):

@raycast/api, @raycast/utils, @raycast/eslint-config, @raycast/eslint-plugin
@oclif/core, @oclif/plugin-autocomplete, @oclif/plugin-help, @oclif/plugin-not-found
@typescript-eslint/* (multiple packages)
[email protected]

Recommendation: If the Raycast extension is intentional, consider:

• Adding documentation for the new Raycast extension
• Updating README with Raycast integration details
• Creating separate PR for better change tracking

---

🏁 Final Verdict

Status: ✅ APPROVED & MERGED

This PR successfully addresses a critical remote code execution vulnerability and should remain merged. The security fix is correct and necessary.

Post-merge recommendations:

1. Verify production deployment is using Next.js 16.0.7
2. Monitor Sentry for any RSC-related errors after deployment
3. Consider cleanup PR to clarify Raycast extension addition
4. Add this CVE to your security incident log/documentation

Security Impact: 🔴 → 🟢 (Critical vulnerability resolved)

---

Review conducted following repository CLAUDE.md conventions and security best practices.