Skip to content

Commit e46acd7

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent fe34388 commit e46acd7

File tree

1 file changed

+4
-6
lines changed

1 file changed

+4
-6
lines changed

advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,11 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-9qr9-h5gf-34mp",
4-
"modified": "2025-12-04T20:07:06Z",
4+
"modified": "2025-12-08T21:36:57Z",
55
"published": "2025-12-03T19:07:11Z",
6-
"aliases": [
7-
"CVE-2025-66478"
8-
],
6+
"aliases": [],
97
"summary": "Next.js is vulnerable to RCE in React flight protocol",
10-
"details": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
8+
"details": "A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n<sup>1</sup> The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack",
119
"severity": [
1210
{
1311
"type": "CVSS_V3",
@@ -156,7 +154,7 @@
156154
},
157155
{
158156
"type": "ADVISORY",
159-
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66478"
157+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
160158
},
161159
{
162160
"type": "PACKAGE",

0 commit comments

Comments
 (0)