Update instructions (#8195)

rickhanlonii · web-flow · commit 72f8998872ab · 2025-12-11T17:15:41.000-05:00
diff --git a/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md b/src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md
@@ -58,27 +58,40 @@ An unauthenticated attacker could craft a malicious HTTP request to any Server F
 
 ## Update Instructions {/*update-instructions*/}
 
+<Note>
+
+These instructions have been updated to include the new vulnerabilities:
+
+
+- **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5)
+- **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
+
+See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components) for more info.
+
+</Note>
+
 ### Next.js {/*update-next-js*/}
 
 All users should upgrade to the latest patched version in their release line:
 
 ```bash
-npm install next@15.0.5   // for 15.0.x
-npm install next@15.1.9   // for 15.1.x
-npm install next@15.2.6   // for 15.2.x
-npm install next@15.3.6   // for 15.3.x
-npm install next@15.4.8   // for 15.4.x
-npm install next@15.5.7   // for 15.5.x
-npm install next@16.0.7   // for 16.0.x
+npm install next@14.2.34  // for 14.x
+npm install next@15.0.6   // for 15.0.x
+npm install next@15.1.10  // for 15.1.x
+npm install next@15.2.7   // for 15.2.x
+npm install next@15.3.7   // for 15.3.x
+npm install next@15.4.9   // for 15.4.x
+npm install next@15.5.8   // for 15.5.x
+npm install next@16.0.9   // for 16.0.x
 ```
 
-If you are on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release:
+If you are on `next@14.3.0-canary.77` or a later canary release, downgrade to the latest stable 14.x release:
 
 ```bash
 npm install next@14
 ```
 
-See the [Next.js changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
+See the [Next.js blog](https://nextjs.org/blog/security-update-2025-12-11) for the latest update instructions and the [previous changelog](https://nextjs.org/blog/CVE-2025-66478) for more info.
 
 ### React Router {/*update-react-router*/}
 
diff --git a/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md b/src/content/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components.md
@@ -26,20 +26,15 @@ The new vulnerabilities are disclosed as:
 - **Denial of Service - High Severity**: [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184) (CVSS 7.5)
 - **Source Code Exposure - Medium Severity**: [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183) (CVSS 5.3)
 
-These issues are present in the patches published last week. 
-
 We recommend upgrading immediately due to the severity of the newly disclosed vulnerabilities.
 
-
 <Note>
 
-#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/}
-
-When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.
+#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/}
 
-This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix.
+If you already updated for the Critical Security Vulnerability, you will need to update again.
 
-Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.
+Please see [the instructions in the previous post](/blog/2025/12/03/critical-security-vulnerability-in-react-server-components#update-instructions) for upgrade steps.
 
 </Note>
 
@@ -61,9 +56,13 @@ As before, if your app’s React code does not use a server, your app is not aff
 
 <Note>
 
-#### The patches published last week are vulnerable. {/*the-patches-published-last-week-are-vulnerable*/}
+#### It’s common for critical CVEs to uncover follow‑up vulnerabilities. {/*its-common-for-critical-cves-to-uncover-followup-vulnerabilities*/}
 
-If you already updated for the Critical Security Vulnerability, you will need to update again.
+When a critical vulnerability is disclosed, researchers scrutinize adjacent code paths looking for variant exploit techniques to test whether the initial mitigation can be bypassed.
+
+This pattern shows up across the industry, not just in JavaScript. For example, after [Log4Shell](https://nvd.nist.gov/vuln/detail/cve-2021-44228), additional CVEs ([1](https://nvd.nist.gov/vuln/detail/cve-2021-45046), [2](https://nvd.nist.gov/vuln/detail/cve-2021-45105)) were reported as the community probed the original fix.
+
+Additional disclosures can be frustrating, but they are generally a sign of a healthy response cycle.
 
 </Note>
 
