From 8d231cb3f705f0ed91364e1e407a501680a3da8d Mon Sep 17 00:00:00 2001 From: msw Date: Thu, 4 Dec 2025 13:11:34 -0800 Subject: [PATCH] [GHSA-9qr9-h5gf-34mp] Remove alias to rejected CVE-2025-66478, add related ID for React upstream CVE-2025-55182 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per the OSV schema: https://ossf.github.io/osv-schema/#aliases-field Aliases should **not** be used to refer to vulnerabilities in packages upstream or downstream in a software supply chain from the given OSV record’s affected package(s). For example, if a CVE describes a vulnerability in a language library, and a Linux distribution package contains that library and therefore publishes an advisory, the distribution’s OSV record must not list the CVE ID as an alias. Similarly, distributions often bundle multiple upstream vulnerabilities into a single record. To refer to these upstream vulnerabilities, `upstream` should be used. However, from https://github.com/github/advisory-database/pull/6507 we see that the GitHub advisory database doesn't currently support `upstream` so we'll add a `releated` ID instead. --- .../12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json b/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json index 41e3c1d45ee41..1d349d94b099e 100644 --- a/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json +++ b/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json @@ -3,8 +3,8 @@ "id": "GHSA-9qr9-h5gf-34mp", "modified": "2025-12-04T20:07:06Z", "published": "2025-12-03T19:07:11Z", - "aliases": [ - "CVE-2025-66478" + "related": [ + "CVE-2025-55182" ], "summary": "Next.js is vulnerable to RCE in React flight protocol", "details": "A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55182](https://www.cve.org/CVERecord?id=CVE-2025-55182). \n\nFixed in:\nReact: 19.0.1, 19.1.2, 19.2.1\nNext.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7\n\nThe vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.\n\nAll users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.\n\n1 The affected React packages are:\n- react-server-dom-parcel\n- react-server-dom-turbopack\n- react-server-dom-webpack", @@ -154,10 +154,6 @@ "type": "WEB", "url": "https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp" }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66478" - }, { "type": "PACKAGE", "url": "https://github.com/vercel/next.js" @@ -172,4 +168,4 @@ "github_reviewed_at": "2025-12-03T19:07:11Z", "nvd_published_at": "2025-12-03T18:15:47Z" } -} \ No newline at end of file +}