Context: CVE-2025-55182 (React2Shell) is a CVSS 10.0 RCE affecting React Server Components in Next.js 15.x-16.x App Router. The initial fix shipped in Next.js 16.0.7 with backports across the 15.x lines. The starters use `next@^15.5.10`. We need to confirm that 15.5.10 specifically includes the complete RCE fix (the initial patches in some 15.x lines were incomplete and required subsequent updates). React 19.2.4 (used by the starters) includes the React-side fix.
Steps:
1. Check the Next.js GitHub releases page for 15.5.10 release notes — look for references to CVE-2025-55182 or CVE-2025-66478.
2. Cross-reference with the Vercel security advisory and the Next.js blog post on CVE-2025-66478.
3. If 15.5.10 is fully patched: document the finding and close this task.
4. If 15.5.10 is NOT fully patched: immediately bump the `next` dependency to the first fully-patched 15.5.x version in all starters, or escalate the Next.js 16 upgrade.
Acceptance criteria:
Written confirmation that Next.js 15.5.10 includes the complete CVE-2025-55182 fix, OR
All starters bumped to a version that does include the complete fix
Finding documented in a PR description or issue comment
Risks: If 15.5.10 is not fully patched, the starters are currently exposing new adopters to an actively-exploited critical RCE. This would escalate the Next.js 16 upgrade from "Now" to "Emergency."