Improve GHSA-4342-x723-ch2f

sbgitZZ · sbgitZZ · commit 0927529381c0 · 2025-12-09T17:19:27.000+07:00
diff --git a/advisories/github-reviewed/2025/08/GHSA-4342-x723-ch2f/GHSA-4342-x723-ch2f.json b/advisories/github-reviewed/2025/08/GHSA-4342-x723-ch2f/GHSA-4342-x723-ch2f.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4342-x723-ch2f",
-  "modified": "2025-09-11T15:41:02Z",
+  "modified": "2025-09-11T15:41:03Z",
   "published": "2025-08-29T21:33:09Z",
   "aliases": [
     "CVE-2025-57822"
@@ -10,8 +10,8 @@
   "details": "A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.\n\nAll users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822)",
   "severity": [
     {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -25,10 +25,10 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0.9.9"
+              "introduced": "15.0.0-canary.0"
             },
             {
-              "fixed": "14.2.32"
+              "fixed": "15.4.7"
             }
           ]
         }
@@ -44,10 +44,10 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "15.0.0-canary.0"
+              "introduced": "0.9.9"
             },
             {
-              "fixed": "15.4.7"
+              "fixed": "14.2.32"
             }
           ]
         }
@@ -80,7 +80,7 @@
     "cwe_ids": [
       "CWE-918"
     ],
-    "severity": "MODERATE",
+    "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2025-08-29T21:33:09Z",
     "nvd_published_at": "2025-08-29T22:15:32Z"

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-4342-x723-ch2f",`
`4`		`- "modified": "2025-09-11T15:41:02Z",`
	`4`	`+ "modified": "2025-09-11T15:41:03Z",`
`5`	`5`	`"published": "2025-08-29T21:33:09Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-57822"`
`@@ -10,8 +10,8 @@`
`10`	`10`	"details": "A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.\n\nAll users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822)",
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`		`- "type": "CVSS_V3",`
`14`		`- "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"`
	`13`	`+ "type": "CVSS_V4",`
	`14`	`+ "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"`
`15`	`15`	`}`
`16`	`16`	`],`
`17`	`17`	`"affected": [`
`@@ -25,10 +25,10 @@`
`25`	`25`	`"type": "ECOSYSTEM",`
`26`	`26`	`"events": [`
`27`	`27`	`{`
`28`		`- "introduced": "0.9.9"`
	`28`	`+ "introduced": "15.0.0-canary.0"`
`29`	`29`	`},`
`30`	`30`	`{`
`31`		`- "fixed": "14.2.32"`
	`31`	`+ "fixed": "15.4.7"`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`
`@@ -44,10 +44,10 @@`
`44`	`44`	`"type": "ECOSYSTEM",`
`45`	`45`	`"events": [`
`46`	`46`	`{`
`47`		`- "introduced": "15.0.0-canary.0"`
	`47`	`+ "introduced": "0.9.9"`
`48`	`48`	`},`
`49`	`49`	`{`
`50`		`- "fixed": "15.4.7"`
	`50`	`+ "fixed": "14.2.32"`
`51`	`51`	`}`
`52`	`52`	`]`
`53`	`53`	`}`
`@@ -80,7 +80,7 @@`
`80`	`80`	`"cwe_ids": [`
`81`	`81`	`"CWE-918"`
`82`	`82`	`],`
`83`		`- "severity": "MODERATE",`
	`83`	`+ "severity": "LOW",`
`84`	`84`	`"github_reviewed": true,`
`85`	`85`	`"github_reviewed_at": "2025-08-29T21:33:09Z",`
`86`	`86`	`"nvd_published_at": "2025-08-29T22:15:32Z"`