🔒 SECURITY: v0.4.6 - CVE-2025-55182 Mitigation
⚠️ CRITICAL SECURITY UPDATE
CVE-2025-55182: React Server Components Remote Code Execution (CVSS 10.0)
This release updates Latch's peer dependencies to require patched versions of React and Next.js.
🚨 Immediate Action Required
If you're using Latch, verify your React and Next.js versions are patched:
# Check current versions
npm list react next
# Upgrade to patched versions
npm install next@latest react@latest react-dom@latest✅ Patched Versions
Next.js:
- 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
React:
- 19.0.1, 19.1.2, 19.2.1
📝 What Changed in Latch v0.4.6
Updated peer dependencies:
next: >=15.0.5(was>=15.0.0)react: >=19.0.1(was^19.0.0)react-dom: >=19.0.1(was^19.0.0)
Updated example apps:
- All examples now use Next.js 16.0.7 and React 19.0.1
Documentation:
- Added security advisory to SECURITY.md
- Added security banner to README.md
- Updated CHANGELOG.md
ℹ️ About the Vulnerability
CVE-2025-55182 affects React Server Components (react-server-dom-* packages). While Latch does NOT directly depend on these packages, applications using vulnerable versions of React or Next.js may still be affected.
The vulnerability allows unauthenticated remote code execution through malicious HTTP requests to Server Function endpoints.
🔗 References
📦 Install
npm install @lance0/latch@0.4.6
# Then upgrade React and Next.js:
npm install next@latest react@latest react-dom@latest