diff --git a/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json b/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json index 251bea37486c6..279da004ff789 100644 --- a/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json +++ b/advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-fv66-9v8q-g76r", - "modified": "2025-12-03T19:07:40Z", + "modified": "2025-12-03T19:07:41Z", "published": "2025-12-03T19:07:39Z", "aliases": [ "CVE-2025-55182" ], "summary": "React Server Components are Vulnerable to RCE", - "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.", + "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.", "severity": [ { "type": "CVSS_V3", @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "19.0" + "introduced": "19.0.0" }, { "fixed": "19.0.1" @@ -34,7 +34,7 @@ } ], "versions": [ - "19.0" + "19.0.0" ] }, { @@ -88,7 +88,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "19.0" + "introduced": "19.0.0" }, { "fixed": "19.0.1" @@ -97,7 +97,7 @@ } ], "versions": [ - "19.0" + "19.0.0" ] }, { @@ -151,7 +151,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "19.0" + "introduced": "19.0.0" }, { "fixed": "19.0.1" @@ -160,7 +160,7 @@ } ], "versions": [ - "19.0" + "19.0.0" ] }, {