Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 6ed2700f901f · 2025-12-03T19:09:20.000Z
GHSA-9qr9-h5gf-34mp GHSA-fmh4-wr37-44fp GHSA-fv66-9v8q-g76r
diff --git a/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json b/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json
@@ -0,0 +1,175 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9qr9-h5gf-34mp",
+  "modified": "2025-12-03T19:07:11Z",
+  "published": "2025-12-03T19:07:11Z",
+  "aliases": [
+    "CVE-2025-66478"
+  ],
+  "summary": "Next.js is vulnerable to RCE in React flight protocol",
+  "details": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "14.3.0-canary.77"
+            },
+            {
+              "fixed": "15.0.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "15.1.1-canary.0"
+            },
+            {
+              "fixed": "15.1.9"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "15.2.0-canary.0"
+            },
+            {
+              "fixed": "15.2.6"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "15.3.0-canary.0"
+            },
+            {
+              "fixed": "15.3.6"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "15.4.0-canary.0"
+            },
+            {
+              "fixed": "15.4.8"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "15.5.1-canary.0"
+            },
+            {
+              "fixed": "15.5.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "16.0.0-canary.0"
+            },
+            {
+              "fixed": "16.0.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66478"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vercel/next.js"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-03T19:07:11Z",
+    "nvd_published_at": "2025-12-03T18:15:47Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-fmh4-wr37-44fp/GHSA-fmh4-wr37-44fp.json b/advisories/github-reviewed/2025/12/GHSA-fmh4-wr37-44fp/GHSA-fmh4-wr37-44fp.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fmh4-wr37-44fp",
+  "modified": "2025-12-03T19:07:52Z",
+  "published": "2025-12-03T19:07:52Z",
+  "aliases": [],
+  "summary": "React Server Components are Vulnerable to RCE",
+  "details": "### Summary\n\n`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r\n\n### Impact\n\nApplications using affected versions of `@vitejs/plugin-rsc` are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.\n\n### Recommendations\n\nUpgrade immediately to `@vitejs/plugin-rsc@0.5.3` or later.\n\n### Workarounds\n\nApplications not using server-side React or React Server Components are unaffected.",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@vitejs/plugin-rsc"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.5.3"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.5.2"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vitejs/vite-plugin-react"
+    },
+    {
+      "type": "WEB",
+      "url": "https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-03T19:07:52Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json b/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json
