[Blog] Update safe Next.js versions (#8199)

Author: mattcarrollcode

src/content/blog/2025/12/03/critical-security-vulnerability-in-react-server-components.md

@@ -20,9 +20,9 @@ We recommend upgrading immediately.
 
 ---
 
-On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints. 
+On November 29th, Lachlan Davidson reported a security vulnerability in React that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.
 
-Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components. 
+Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
 
 This vulnerability was disclosed as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182) and is rated CVSS 10.0.
 
@@ -40,7 +40,7 @@ If your app’s React code does not use a server, your app is not affected by th
 
 ### Affected frameworks and bundlers {/*affected-frameworks-and-bundlers*/}
 
-Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk). 
+Some React frameworks and bundlers depended on, had peer dependencies for, or included the vulnerable React packages. The following React frameworks & bundlers are affected: [next](https://www.npmjs.com/package/next), [react-router](https://www.npmjs.com/package/react-router), [waku](https://www.npmjs.com/package/waku), [@parcel/rsc](https://www.npmjs.com/package/@parcel/rsc), [@vitejs/plugin-rsc](https://www.npmjs.com/package/@vitejs/plugin-rsc), and [rwsdk](https://www.npmjs.com/package/rwsdk).
 
 See the [update instructions below](#update-instructions) for how to upgrade to these patches.
 
@@ -76,16 +76,21 @@ See the [follow-up blog post](/blog/2025/12/11/denial-of-service-and-source-code
 All users should upgrade to the latest patched version in their release line:
 
 ```bash
-npm install [email protected]  // for 14.x
-npm install [email protected]   // for 15.0.x
-npm install [email protected]  // for 15.1.x
-npm install [email protected]   // for 15.2.x
-npm install [email protected]   // for 15.3.x
-npm install [email protected]   // for 15.4.x
-npm install [email protected]   // for 15.5.x
-npm install [email protected]   // for 16.0.x
+npm install [email protected]  // for 13.3.x, 13.4.x, 13.5.x, 14.x
+npm install [email protected]   // for 15.0.x
+npm install [email protected]  // for 15.1.x
+npm install [email protected]   // for 15.2.x
+npm install [email protected]   // for 15.3.x
+npm install [email protected]  // for 15.4.x
+npm install [email protected]   // for 15.5.x
+npm install [email protected]  // for 16.0.x
+
+npm install [email protected]   // for 15.x canary releases
+npm install [email protected]   // for 16.x canary releases
 ```
 
+If you are on version `13.3` or later version of Next.js 13 (`13.3.x`, `13.4.x`, or `13.5.x`) please upgrade to version `14.2.35`.
+
 If you are on `[email protected]` or a later canary release, downgrade to the latest stable 14.x release:
 
 ```bash