Publish GHSA-fmh4-wr37-44fp

Author: advisory-database[bot]

advisories/github-reviewed/2025/12/GHSA-fmh4-wr37-44fp/GHSA-fmh4-wr37-44fp.json

@@ -1,12 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fmh4-wr37-44fp",
-  "modified": "2025-12-03T19:07:52Z",
+  "modified": "2025-12-08T20:48:29Z",
   "published": "2025-12-03T19:07:52Z",
   "aliases": [],
   "summary": "React Server Components are Vulnerable to RCE",
   "details": "### Summary\n\n`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r\n\n### Impact\n\nApplications using affected versions of `@vitejs/plugin-rsc` are vulnerable to unauthenticated remote code execution through deserialization of untrusted data. An attacker can execute arbitrary code remotely without authentication, affecting confidentiality, integrity, and availability.\n\n### Recommendations\n\nUpgrade immediately to `@vitejs/[email protected]` or later.\n\n### Workarounds\n\nApplications not using server-side React or React Server Components are unaffected.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
   "affected": [
     {
       "package": {