Recent React vulnerability - No impact on Universal
A recently disclosed critical 10/10 vulnerability in React Server Components was announced by the React team. You can read the official blog here:
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Universal is not affected.
Why Universal is not impacted
Universal is built as a static export using Next.js. Static exports do not use React Server Components or any server-side React code paths. Because the vulnerability only affects React Server Components, Universal is not vulnerable to this issue.
Learn more about static exports here: https://nextjs.org/docs/pages/guides/static-exports
Next.js security advisories
Several security advisories were also published for Next.js 14.1.4, the version currently used by Universal. These advisories all relate to server-side features.
Since Universal is built as a static export and does not run server-side Next.js code, Universal is also not vulnerable to these issues:
https://github.com/advisories/GHSA-gp8f-8m3g-qvj9
https://github.com/advisories/GHSA-g77x-44xx-532m
https://github.com/advisories/GHSA-7gfc-8cq8-jh5f
https://github.com/advisories/GHSA-7m27-7ghc-44w9
https://github.com/advisories/GHSA-f82v-jwr5-mffw
https://github.com/advisories/GHSA-xv57-4mr9-wg8v
https://github.com/advisories/GHSA-4342-x723-ch2f
https://github.com/advisories/GHSA-g5qg-72qw-gw5v
Upcoming upgrade
To avoid false positives in dependency scanners, we will be upgrading to Next.js 16.0.7 in Universal version 2025.3.13, scheduled for release on 22 December 2025.
Our commitment to security
Our development team continuously monitors security advisories and responds promptly. We are also preparing a living security document to keep you informed about relevant security updates.
