From 81637042bad06c1669c5cc1da58d29e2c12e37c8 Mon Sep 17 00:00:00 2001
From: Ben Vargas <ben@vargas.com>
Date: Mon, 15 Dec 2025 10:30:49 -0700
Subject: [PATCH] fix(security): upgrade Next.js to 14.2.35 for CVE-2025-55184

Addresses high-severity Denial of Service vulnerability in React Server
Components. Next.js 14.2.25 is vulnerable to CVE-2025-55184 where a
malicious HTTP request can cause an infinite loop that hangs the server.

Updated:
- ecosystem-tests/vercel-edge/package.json
- examples/package.json

References:
- https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
- https://nextjs.org/blog/security-update-2025-12-11
---
 ecosystem-tests/vercel-edge/package.json | 2 +-
 examples/package.json                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ecosystem-tests/vercel-edge/package.json b/ecosystem-tests/vercel-edge/package.json
index 5a8fea816..0d1d4d944 100644
--- a/ecosystem-tests/vercel-edge/package.json
+++ b/ecosystem-tests/vercel-edge/package.json
@@ -15,7 +15,7 @@
   },
   "dependencies": {
     "ai": "2.1.34",
-    "next": "^14.2.25",
+    "next": "^14.2.35",
     "react": "18.2.0",
     "react-dom": "18.2.0"
   },
diff --git a/examples/package.json b/examples/package.json
index db01a2c10..e1b1dd056 100644
--- a/examples/package.json
+++ b/examples/package.json
@@ -9,7 +9,7 @@
     "@azure/identity": "^4.2.0",
     "dotenv": "^16.4.7",
     "express": "^4.18.2",
-    "next": "^14.2.25",
+    "next": "^14.2.35",
     "openai": "file:..",
     "zod-to-json-schema": "^3.21.4"
   },