Improve GHSA-fv66-9v8q-g76r

leogasparini · leogasparini · commit 270d42494dd8 · 2025-12-04T14:10:07.000+01:00
diff --git a/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json b/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fv66-9v8q-g76r",
-  "modified": "2025-12-03T19:07:40Z",
+  "modified": "2025-12-03T19:07:41Z",
   "published": "2025-12-03T19:07:39Z",
   "aliases": [
     "CVE-2025-55182"
   ],
   "summary": "React Server Components are Vulnerable to RCE",
-  "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.",
+  "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -25,7 +25,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "19.0"
+              "introduced": "19.0.0"
             },
             {
               "fixed": "19.0.1"
@@ -34,7 +34,7 @@
         }
       ],
       "versions": [
-        "19.0"
+        "19.0.0"
       ]
     },
     {
@@ -88,7 +88,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "19.0"
+              "introduced": "19.0.0"
             },
             {
               "fixed": "19.0.1"
@@ -97,7 +97,7 @@
         }
       ],
       "versions": [
-        "19.0"
+        "19.0.0"
       ]
     },
     {
@@ -151,7 +151,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "19.0"
+              "introduced": "19.0.0"
             },
             {
               "fixed": "19.0.1"
@@ -160,7 +160,7 @@
         }
       ],
       "versions": [
-        "19.0"
+        "19.0.0"
       ]
     },
     {

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-fv66-9v8q-g76r",`
`4`		`- "modified": "2025-12-03T19:07:40Z",`
	`4`	`+ "modified": "2025-12-03T19:07:41Z",`
`5`	`5`	`"published": "2025-12-03T19:07:39Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-55182"`
`8`	`8`	`],`
`9`	`9`	`"summary": "React Server Components are Vulnerable to RCE",`
`10`		- "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.",
	`10`	+ "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.",
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`	`13`	`"type": "CVSS_V3",`
`@@ -25,7 +25,7 @@`
`25`	`25`	`"type": "ECOSYSTEM",`
`26`	`26`	`"events": [`
`27`	`27`	`{`
`28`		`- "introduced": "19.0"`
	`28`	`+ "introduced": "19.0.0"`
`29`	`29`	`},`
`30`	`30`	`{`
`31`	`31`	`"fixed": "19.0.1"`
`@@ -34,7 +34,7 @@`
`34`	`34`	`}`
`35`	`35`	`],`
`36`	`36`	`"versions": [`
`37`		`- "19.0"`
	`37`	`+ "19.0.0"`
`38`	`38`	`]`
`39`	`39`	`},`
`40`	`40`	`{`
`@@ -88,7 +88,7 @@`
`88`	`88`	`"type": "ECOSYSTEM",`
`89`	`89`	`"events": [`
`90`	`90`	`{`
`91`		`- "introduced": "19.0"`
	`91`	`+ "introduced": "19.0.0"`
`92`	`92`	`},`
`93`	`93`	`{`
`94`	`94`	`"fixed": "19.0.1"`
`@@ -97,7 +97,7 @@`
`97`	`97`	`}`
`98`	`98`	`],`
`99`	`99`	`"versions": [`
`100`		`- "19.0"`
	`100`	`+ "19.0.0"`
`101`	`101`	`]`
`102`	`102`	`},`
`103`	`103`	`{`
`@@ -151,7 +151,7 @@`
`151`	`151`	`"type": "ECOSYSTEM",`
`152`	`152`	`"events": [`
`153`	`153`	`{`
`154`		`- "introduced": "19.0"`
	`154`	`+ "introduced": "19.0.0"`
`155`	`155`	`},`
`156`	`156`	`{`
`157`	`157`	`"fixed": "19.0.1"`
`@@ -160,7 +160,7 @@`
`160`	`160`	`}`
`161`	`161`	`],`
`162`	`162`	`"versions": [`
`163`		`- "19.0"`
	`163`	`+ "19.0.0"`
`164`	`164`	`]`
`165`	`165`	`},`
`166`	`166`	`{`