Security Update — qz‑l.com patched against React / Next.js Server‑Component Vulnerability (CVE‑2025‑55182)

Date: December 4, 2025

⚠ What Happened

On December 3, 2025, the React team disclosed a critical remote code execution (RCE) vulnerability affecting React Server Components (RSC), tracked as CVE-2025-55182. :contentReference[oaicite:3]{index=3}

The vulnerability arises from unsafe deserialization in the RSC “Flight” protocol. Even applications that don’t explicitly use Server Functions — but support server components — could be vulnerable. :contentReference[oaicite:4]{index=4}

The community quickly adopted the fix: patched versions of the RSC packages were released — namely 19.0.1, 19.1.2, 19.2.1, etc. :contentReference[oaicite:5]{index=5}

✅ What We Did: qz‑l.com Is Already Protected

• We audited our dependencies immediately after the disclosure.
• We confirmed that our app does not use any of the vulnerable versions (19.0.0, 19.1.0, 19.1.1, 19.2.0) of react-server-dom-*.
• All relevant packages have been upgraded to the safe versions (19.0.1 / 19.1.2 / 19.2.1 or later).
• In addition, we reviewed our deployment environment to ensure no stale dependencies remain, and re‑deployed to propagate the updates.

Therefore, qz‑l.com is not vulnerable to CVE‑2025‑55182 and remains secure.

🔐 Our Security Commitment

We take security seriously. In light of this incident, we will:

• Monitor security advisories for React, Next.js, and all related dependencies.
• Update dependencies proactively, especially after major disclosures.
• Review our CI/CD pipelines to ensure dependency updates are fast and traceable.
• Conduct periodic audits of our dependency tree.

If you have any questions, or want to report a concern, please contact us.

Thank you for trusting qz‑l.com. We’re committed to keeping your experience safe and reliable.