add update instructions

rickhanlonii · rickhanlonii · commit 04a4959fe12b · 2025-12-03T11:26:29.000-05:00
diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
@@ -50,13 +50,94 @@ We will update this post with upgrade instructions on how to upgrade as they bec
 
 An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Further details of the vulnerability will be provided after the rollout of the fix is complete.
 
-### Timeline {/*timeline*/}
+## Update Instructions {/*update-instructions*/}
+
+### Next.js {/*update-next-js*/}
+
+All users should upgrade to the latest patched version in their release line:
+
+```bash
+npm install next@15.0.5   // for 15.0.x
+npm install next@15.1.9   // for 15.1.x
+npm install next@15.2.6   // for 15.2.x
+npm install next@15.3.6   // for 15.3.x
+npm install next@15.4.8   // for 15.4.x
+npm install next@15.5.7   // for 15.5.x
+npm install next@16.0.7   // for 16.0.x
+```
+
+If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
+
+```bash
+npm install next@14
+```
+
+See the [Next.js changelog](https://vercel.com/changelog/cve-2025-55182) for more info.
+
+### React Router {/*update-react-router*/}
+
+If you are using React Router's unstable RSC APIs, you should upgrade the following package.json dependencies if they exist:
+
+```bash
+npm install react@latest
+npm install react-dom@latest
+npm install react-server-dom-parcel@latest
+npm install react-server-dom-webpack@latest
+```
+
+### Redwood SDK {/*update-redwood-sdk*/}
+
+Upgrade to the latest `react-server-dom-webpack`:
+
+```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+```
+
+See [Redwood docs](https://docs.rwsdk.com/migrating/) for more migration instructions.
+
+### Waku {/*update-waku*/}
+
+Upgrade to the latest `react-server-dom-webpack`:
+
+```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+```
+
+### `vite/plugin-rsc` {/*vite-plugin-rsc*/}
+
+A patch has not been published yet, we will update this post when the patch is available.
+
+### `react-server-dom-parcel` {/*update-react-server-dom-parcel*/}
+
+Update to the latest version:
+
+ ```bash
+ npm install react@latest react-dom@latest react-server-dom-parcel@latest
+ ```
+
+### `react-server-dom-turbopack` {/*update-react-server-dom-turbopack*/}
+
+Update to the latest version:
+
+ ```bash
+ npm install react@latest react-dom@latest react-server-dom-turbopack@latest
+ ```
+
+### `react-server-dom-webpack` {/*update-react-server-dom-webpack*/}
+
+Update to the latest version:
+
+ ```bash
+npm install react@latest react-dom@latest react-server-dom-webpack@latest
+ ```
+
+## Timeline {/*timeline*/}
 
 * **November 29th**: Lachlan Davidson reported the security vulnerability via [Meta Bug Bounty](https://bugbounty.meta.com/).
 * **November 30th**: Meta security researchers confirmed and began working with the React team on a fix.
 * **December 1st**: A fix was created and the React team began working with affected hosting providers and open source projects to validate the fix, implement mitigations and roll out the fix
 * **December 3rd**: The fix was published to npm and the publicly disclosed as CVE-2025-55182.
 
-### Attribution {/*attribution*/}
+## Attribution {/*attribution*/}
 
 Thank you to [Lachlan Davidson](https://github.com/lachlan2k) for discovering, reporting, and working to help fix this vulnerability.
