How to Update Critical Security Update in Next.js and React

Beda Arta
Next.jsReact.jsNPM

Today I received an email about critical security vulnerability from Vercel. Below is the message:

A critical vulnerability in React Server Components (CVE-2025-55182) has been responsibly disclosed. It affects React 19 and frameworks that use it, including Next.js (CVE-2025-66478). If you are using Next.js, every version between Next.js 15 and 16 is affected, and we recommend immediately updating to the latest Next.js versions containing the appropriate fixes (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7). If you are using another framework using Server Components, we also recommend immediately updating to the latest React versions containing the appropriate fixes (19.0.1, 19.1.2, and 19.2.1).

If you're running Next.js 15 or 16, or React 19, you need to update immediately.

How to Update

If this is the first time you've received a message about a security update, take a deep breath and relax. You can follow the following steps as a reference:

Check Your Current Versions

First, check which versions you're currently running:

npm list next react react-dom

As mentioned in the message above, Vercel recommend immediately updating to the latest patched Next.js and React.js versions containing the appropriate fixes

Next.js:

  • 15.0.5
  • 15.1.9
  • 15.2.6
  • 15.3.6
  • 15.4.8
  • 15.5.7
  • 16.0.7 (latest)

React:

  • 19.0.1
  • 19.1.2
  • 19.2.1 (latest)

For Next.js 16.x users:

npm install next@16.0.7 react@19.2.1 react-dom@19.2.1

For Next.js 15.x users, update to the appropriate patch version for your minor version.

After updating, if you still see something like:

2 moderate severity vulnerabilities

That might not come from Next.js or React.js but from the other dependencies. I've already covered this topic in the previous blog post about How to Check and Update Outdated NPM Packages

Verify the Update

Confirm the versions were updated successfully:

npm list next react react-dom

Test Your Application

Run your development server to ensure everything works correctly:

npm run dev

Build and Deploy

Create a production build to verify there are no issues:

npm run build

Once verified, deploy your updated application immediately.

Conclusion

This is a critical security update that requires immediate action. The update process is straightforward and should be backward compatible with your existing code since these are patch versions. Future security updates might involve different version, but you can still use this as a reference.