[Dependencies] Update version of dependencies to fix vulnerabilities

[austsinovich]

Link to the code that reproduces this issue

GHSA-83fc-fqcc-2hmg

To Reproduce

GHSA-83fc-fqcc-2hmg
Here are some vulnerabilities in React packages. Could you update dependencies to patched versions for next v15?

Current vs. Expected behavior

Current: AWS inspector shows vulnerabilities
Expected: AWS inspector does not show vulnerabilities

Provide environment information

"next": "15.5.14",
"react": "19.1.5",

Which area(s) are affected? (Select all that apply)

React

Which stage(s) are affected? (Select all that apply)

Other (Deployed)

Additional context

No response

[hammadxcm]

Investigation Summary

The vulnerability referenced in GHSA-83fc-fqcc-2hmg (CVE-2026-23864) — Denial of Service in React Server Components — was fixed upstream in facebook/react#35632 ("[Flight] Add more DoS mitigations to Flight Reply, and harden Flight"), merged on 2026-01-26.

What was fixed

The vulnerability allowed specially crafted HTTP requests to Server Function endpoints to cause server crashes, out-of-memory exceptions, or excessive CPU usage (CWE-400, CWE-502). The fix introduced multiple mitigations into the Flight protocol deserialization:

Protection	Detail
Bound arguments limit	Server Functions limited to 1,000 bound arguments
Array size / nesting limit	Default cap of 1,000,000 total slots across nested arrays
BigInt size limit	Rejects BigInt values exceeding 300 digits
__proto__ pollution guards	Skips/deletes __proto__ keys at multiple deserialization points
then key poisoning prevention	Prevents deserialized objects from appearing as thenables

Status in Next.js

Next.js vendors its own copies of react-server-dom-webpack and react-server-dom-turbopack from React canary builds. The current Next.js canary already vendors from React canary 8b2e903a (Mar 20, 2026), which is ~55 days after the fix was merged (Jan 26) and 128+ commits ahead of the fix commit. The vendored packages already contain all the above protections.

I've verified the protections are present in the vendored server CJS files by inspecting the compiled code in packages/next/src/compiled/react-server-dom-webpack/cjs/ and packages/next/src/compiled/react-server-dom-turbopack/cjs/.

Additionally, Next.js itself adds server-level protections on top of React's:

• HTTP body size limit: default 1 MB (configurable via serverActions.bodySizeLimit in next.config.js)
• CSRF / origin validation with configurable allowedOrigins
• Action ID validation (length check + serverModuleMap lookup)

For users on Next.js 15.x

If you are using react@19.1.5 (which you mentioned), that version already includes the CVE fix — it was one of the patched stable releases. The vendored React inside Next.js 15.x releases from after January 26, 2026 would also contain the fix.

If your AWS Inspector is still flagging this, it may be matching on the vendored package version strings rather than checking the actual code content. You can verify the fix is present by checking for the _arraySizeLimit property and bumpArrayCount function in your installed node_modules/next/dist/compiled/react-server-dom-webpack/cjs/react-server-dom-webpack-server.node.production.js.

PR

Sync to latest React canary (c0d218f0, Mar 24): #91894

[icyJoseph]

Hi @austsinovich this was patched for the version 15 range, https://vercel.com/changelog/summary-of-cve-2026-23864:

• Fixed in: 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5, 16.2.0-canary.9

What's your specific claim here?

[austsinovich]

@icyJoseph looks like you fixed it in 15.6.0-canary.61 version but we do not want to use canary version. When are you going to release it?

[christopherjohnson3028-stack]

As noted in the previous comments, the fix for CVE-2026-23864 has already been backported to several stable releases in the 15.x range, including 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, and 15.5.10.

…

On Thu, Mar 26, 2026, 12:18 PM Aliaksandr Ustsinovich < ***@***.***> wrote: *austsinovich* left a comment (vercel/next.js#91890) <#91890 (comment)> @icyJoseph <https://github.com/icyJoseph> looks like you fixed it in 15.6.0-canary.61 version but we do not want to use canary version. When are you going to release it? — Reply to this email directly, view it on GitHub <#91890?email_source=notifications&email_token=B67D5GORZV2Y2W2IQATC4TT4SVRAFA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTIMJTGY3TMNRUGYZKM4TFMFZW63VKON2WE43DOJUWEZLEUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#issuecomment-4136766462>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/B67D5GJPX26ZML2GZSFVKYD4SVRAFAVCNFSM6AAAAACW6SHLY2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DCMZWG43DMNBWGI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[icyJoseph]

@austsinovich - which version are you after exactly? there's been some noise on this thread... What version do you have right now? What is the problem you are seeing exactly?