Fix React Server Components CVE vulnerabilities in remaining templates by sragss · Pull Request #707 · Merit-Systems/echo

sragss · 2026-01-13T17:09:44Z

Summary

Updates Next.js from 15.4.10 to 15.5.4 in remaining vulnerable templates:

templates/assistant-ui
templates/next-image
templates/next-video-template

CVEs Addressed

CVE-2025-55182: Node.js-only React Server Components RCE
CVE-2025-55183: Potential Authorization Bypass for RSC Actions
CVE-2025-55184: Potential Authorization Bypass for Server Function

Test plan

Verify Vercel deployments succeed
Test template functionality

🤖 Generated with Claude Code

Updates Next.js from 15.4.10 to 15.5.4 in: - templates/assistant-ui - templates/next-image - templates/next-video-template Addresses: - CVE-2025-55182: Node.js-only React Server Components RCE - CVE-2025-55183: Potential Authorization Bypass for RSC Actions - CVE-2025-55184: Potential Authorization Bypass for Server Function Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

vercel · 2026-01-13T17:09:47Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
assistant-ui-template	Ready	Preview, Comment	Jan 13, 2026 5:17pm
component-registry	Ready	Preview, Comment	Jan 13, 2026 5:17pm
echo-control	Ready	Preview, Comment	Jan 13, 2026 5:17pm
echo-next-boilerplate	Ready	Preview, Comment	Jan 13, 2026 5:17pm
echo-next-image	Ready	Preview, Comment	Jan 13, 2026 5:17pm
echo-next-sdk-example	Ready	Preview, Comment	Jan 13, 2026 5:17pm
echo-video-template	Ready	Preview, Comment	Jan 13, 2026 5:17pm
echo-vite-sdk-example	Ready	Preview, Comment	Jan 13, 2026 5:17pm
next-chat-template	Ready	Preview, Comment	Jan 13, 2026 5:17pm
react-boilerplate	Ready	Preview, Comment	Jan 13, 2026 5:17pm
react-chat	Ready	Preview, Comment	Jan 13, 2026 5:17pm
react-image	Ready	Preview, Comment	Jan 13, 2026 5:17pm

railway-app · 2026-01-13T17:09:50Z

🚅 Deployed to the echo-pr-707 environment in echo

Service	Status	Web	Updated (UTC)
echo	🕒 Building (View Logs)	Web	Jan 13, 2026 at 5:14 pm

- Updates Next.js from 15.5.4 to 15.5.9 to address CVE-2025-66478 - Adds openai dependency to assistant-ui template (required by echo-react-sdk) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

vercel Bot deployed to Preview – react-boilerplate January 13, 2026 17:10 View deployment

vercel Bot deployed to Preview – react-image January 13, 2026 17:10 View deployment

vercel Bot deployed to Preview – react-chat January 13, 2026 17:10 View deployment

vercel Bot had a problem deploying to Preview – echo-video-template January 13, 2026 17:10 Failure

vercel Bot deployed to Preview – echo-vite-sdk-example January 13, 2026 17:10 View deployment

vercel Bot had a problem deploying to Preview – echo-next-image January 13, 2026 17:10 Failure

vercel Bot deployed to Preview – echo-next-boilerplate January 13, 2026 17:10 View deployment

vercel Bot had a problem deploying to Preview – assistant-ui-template January 13, 2026 17:10 Failure

vercel Bot deployed to Preview – next-chat-template January 13, 2026 17:10 View deployment

vercel Bot deployed to Preview – component-registry January 13, 2026 17:11 View deployment

vercel Bot deployed to Preview – echo-next-sdk-example January 13, 2026 17:11 View deployment

Bump Next.js to 15.5.9 and add missing openai dependency

7706adc

- Updates Next.js from 15.5.4 to 15.5.9 to address CVE-2025-66478 - Adds openai dependency to assistant-ui template (required by echo-react-sdk) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

vercel Bot deployed to Preview – react-boilerplate January 13, 2026 17:13 View deployment

vercel Bot deployed to Preview – react-image January 13, 2026 17:13 View deployment

vercel Bot deployed to Preview – react-chat January 13, 2026 17:13 View deployment

vercel Bot deployed to Preview – echo-next-boilerplate January 13, 2026 17:13 View deployment

vercel Bot deployed to Preview – echo-vite-sdk-example January 13, 2026 17:13 View deployment

vercel Bot deployed to Preview – echo-video-template January 13, 2026 17:13 View deployment

vercel Bot deployed to Preview – echo-next-image January 13, 2026 17:13 View deployment

vercel Bot deployed to Preview – assistant-ui-template January 13, 2026 17:13 View deployment

vercel Bot deployed to Preview – next-chat-template January 13, 2026 17:13 View deployment

vercel Bot deployed to Preview – echo-next-sdk-example January 13, 2026 17:14 View deployment

vercel Bot deployed to Preview – component-registry January 13, 2026 17:14 View deployment

railway-app Bot temporarily deployed to echo / echo-pr-707 January 13, 2026 17:14 Destroyed

vercel Bot deployed to Preview – echo-control January 13, 2026 17:17 View deployment

sragss merged commit eacef7a into master Jan 13, 2026
15 checks passed

sragss deleted the fix/remaining-cve-templates branch January 13, 2026 17:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix React Server Components CVE vulnerabilities in remaining templates#707

Fix React Server Components CVE vulnerabilities in remaining templates#707
sragss merged 2 commits into
masterfrom
fix/remaining-cve-templates

sragss commented Jan 13, 2026

Uh oh!

vercel Bot commented Jan 13, 2026 •

edited

Loading

Uh oh!

railway-app Bot commented Jan 13, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

sragss commented Jan 13, 2026

Summary

CVEs Addressed

Test plan

Uh oh!

vercel Bot commented Jan 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

railway-app Bot commented Jan 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

vercel Bot commented Jan 13, 2026 •

edited

Loading

railway-app Bot commented Jan 13, 2026 •

edited

Loading