[GHSA-fv66-9v8q-g76r] React Server Components are Vulnerable to RCE

advisories/github-reviewed/2025/12/GHSA-fv66-9v8q-g76r/GHSA-fv66-9v8q-g76r.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fv66-9v8q-g76r",
-  "modified": "2025-12-03T19:07:40Z",
+  "modified": "2025-12-03T19:07:41Z",
   "published": "2025-12-03T19:07:39Z",
   "aliases": [
     "CVE-2025-55182"
   ],
   "summary": "React Server Components are Vulnerable to RCE",
-  "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.",
+  "details": "### Impact\n\nThere is an unauthenticated remote code execution vulnerability in React Server Components.\n\nWe recommend upgrading immediately.\n\nThe vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of:\n* [react-server-dom-webpack](https://www.npmjs.com/package/react-server-dom-webpack)\n* [react-server-dom-parcel](https://www.npmjs.com/package/react-server-dom-parcel)\n* [react-server-dom-turbopack](https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme)\n\n### Patches\n\nA fix was introduced in versions [19.0.1](https://github.com/facebook/react/releases/tag/v19.0.1), [19.1.2](https://github.com/facebook/react/releases/tag/v19.1.2), and [19.2.1](https://github.com/facebook/react/releases/tag/v19.2.1). If you are using any of the above packages please upgrade to any of the fixed versions immediately.\n\nIf your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.\n\n### References\n\nSee the [blog post](https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components) for more information and upgrade instructions.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -25,7 +25,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "19.0"
+              "introduced": "19.0.0"
             },
             {
               "fixed": "19.0.1"
@@ -34,7 +34,7 @@
         }
       ],
       "versions": [
-        "19.0"
+        "19.0.0"
       ]
     },
     {
@@ -88,7 +88,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "19.0"
+              "introduced": "19.0.0"
             },
             {
               "fixed": "19.0.1"
@@ -97,7 +97,7 @@
         }
       ],
       "versions": [
-        "19.0"
+        "19.0.0"
       ]
     },
     {
@@ -151,7 +151,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "19.0"
+              "introduced": "19.0.0"
             },
             {
               "fixed": "19.0.1"
@@ -160,7 +160,7 @@
         }
       ],
       "versions": [
-        "19.0"
+        "19.0.0"
       ]
     },
     {