Security: Update Next.js example to React 19.2.1+ to address CVE in React Server Components

[mbiuki]

Vulnerability Summary

React has disclosed a critical security vulnerability (CVSS 10.0) in React Server Components affecting React versions 19.0, 19.1.0, 19.1.1, and 19.2.0. While dotCMS core is not affected, our Next.js example application uses React 19.1.0 and should be updated as a precautionary measure.

Impact Assessment

dotCMS Core: NOT AFFECTED ✅

• Main application uses React 18.3.1
• No vulnerable packages (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) found
• No React Server Components in core product

Next.js Example: POTENTIALLY AFFECTED ⚠️

• Location: examples/nextjs/
• Current version: React 19.1.0 + Next.js 15.3.2
• Status: Example/demo application, not part of core product
• Risk: Low (example code, not production)

Vulnerability Details

• CVE: React Server Components Remote Code Execution
• CVSS Score: 10.0 (Critical)
• Affected Versions: React 19.0, 19.1.0, 19.1.1, 19.2.0
• Fixed Versions: React 19.0.1, 19.1.2, 19.2.1+
• Attack Vector: Malicious HTTP requests to Server Function endpoints
• Affected Packages:
  • react-server-dom-webpack
  • react-server-dom-parcel
  • react-server-dom-turbopack

Recommended Action

Update the Next.js example to use React 19.2.1 or later:

cd examples/nextjs
npm install [email protected] [email protected]

Update examples/nextjs/package.json:

{
  "dependencies": {
    "react": "19.2.1",
    "react-dom": "19.2.1"
  }
}

Verification Steps

1. Update dependencies in examples/nextjs/package.json
2. Run npm install to update lock file
3. Test the example application:

   cd examples/nextjs
   npm run dev
   npm run build
   

4. Verify no functionality regressions

Additional Context

• This is a precautionary update for example code
• Core dotCMS product is not affected and requires no action
• Next.js example does not explicitly install vulnerable packages, but updating ensures protection
• Next.js 15.3.2 may transitively depend on affected packages

References

• React Security Advisory: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
• CVSS Calculator: https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Priority

Medium - Example code only, not production code, but should be updated for best practices

---

Generated with Claude Code

[mbiuki]

Additional Notes

Other React Usage in Repository (Not Affected)

After comprehensive analysis, the following locations use React but are NOT affected:

1. starter/nextjs/ - Uses React ^18 (safe version)
2. core-web/ - Uses React 18.3.1 for internal tooling (safe version)
3. examples/astro/ - Uses React ^18.3.1 (safe version)
4. examples/angular/ and examples/angular-ssr/ - No React usage
5. examples/vuejs/ - No React usage

Next.js Framework Compatibility

• Next.js 15.3.2 is compatible with React 19.2.1+
• No breaking changes expected when upgrading from 19.1.0 to 19.2.1
• This is a patch-level security fix only

Testing Checklist

When implementing the fix, verify:

• [ ] Next.js dev server starts without errors (npm run dev)
• [ ] Production build completes successfully (npm run build)
• [ ] UVE (Universal Visual Editor) functionality still works
• [ ] dotCMS SDK integration (@dotcms/client, @dotcms/react) remains functional
• [ ] Content rendering from dotCMS displays correctly

Customer Impact

• No customer impact - This affects example/demo code only
• Customers using the Next.js starter template are safe (uses React 18)
• No action required from dotCMS customers or cloud instances

Timeline Recommendation

• Non-urgent fix since it's example code
• Suggest including in next routine maintenance cycle
• No emergency patch required