From fe4af3e7edfbd8b04648b5ca6f7c98ba9c5b1371 Mon Sep 17 00:00:00 2001 From: Carlo Bottaro Date: Tue, 9 Dec 2025 20:59:24 +0100 Subject: [PATCH 1/2] Add CVE-2025-55182 alias to GHSA-9qr9-h5gf-34mp Add CVE alias for GHSA-9qr9-h5gf-34mp advisory. --- .../2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json b/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json index ddc1e0e4e1a89..5cd559c7eea23 100644 --- a/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json +++ b/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json @@ -3,7 +3,9 @@ "id": "GHSA-9qr9-h5gf-34mp", "modified": "2025-12-08T21:36:57Z", "published": "2025-12-03T19:07:11Z", - "aliases": [], + "aliases": [ + "CVE-2025-55182" + ], "summary": "Next.js is vulnerable to RCE in React flight protocol", "details": "A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n1 The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack", "severity": [ @@ -170,4 +172,4 @@ "github_reviewed_at": "2025-12-03T19:07:11Z", "nvd_published_at": "2025-12-03T18:15:47Z" } -} \ No newline at end of file +} From 519ba75505b67aba7081006fb02b1de79a14c4da Mon Sep 17 00:00:00 2001 From: Carlo Bottaro Date: Wed, 10 Dec 2025 14:38:25 +0100 Subject: [PATCH 2/2] Update GHSA-fv66-9v8q-g76r.json with new package ranges Added multiple vulnerability ranges for 'next' and 'react' packages in the advisory. --- .../GHSA-fv66-9v8q-g76r.json | 182 +++++++++++++++++- 1 file changed, 181 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json b/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json index e215f9f9f0a84..8e29f899c79ac 100644 --- a/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json +++ b/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json @@ -203,6 +203,186 @@ "versions": [ "19.2.0" ] + }, + { + "package": { + "ecosystem": "npm", + "name": "next" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "14.3.0-canary.77" + }, + { + "fixed": "15.0.5" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "next" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.1.0-canary.0" + }, + { + "fixed": "15.1.9" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "next" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.2.0-canary.0" + }, + { + "fixed": "15.2.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "next" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.3.0-canary.0" + }, + { + "fixed": "15.3.6" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "next" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.4.0-canary.0" + }, + { + "fixed": "15.4.8" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "next" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "15.5.0-canary.0" + }, + { + "fixed": "15.5.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "next" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "16.0.0-canary.0" + }, + { + "fixed": "16.0.7" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "react" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { "introduced": "19.0.0" }, + { "fixed": "19.0.1" } + ] + } + ], + "versions": ["19.0.0"] + }, + { + "package": { + "ecosystem": "npm", + "name": "react" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { "introduced": "19.1.0" }, + { "fixed": "19.1.2" } + ] + } + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "react" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { "introduced": "19.2.0" }, + { "fixed": "19.2.1" } + ] + } + ], + "versions": ["19.2.0"] } ], "references": [ @@ -268,4 +448,4 @@ "github_reviewed_at": "2025-12-03T19:07:39Z", "nvd_published_at": "2025-12-03T16:15:56Z" } -} \ No newline at end of file +}