Skip to content

[GHSA-9qr9-h5gf-34mp] Next.js is vulnerable to RCE in React flight protocol#6521

Closed
yusuke-koyoshi wants to merge 1 commit intoyusuke-koyoshi/advisory-improvement-6521from
yusuke-koyoshi-GHSA-9qr9-h5gf-34mp
Closed

[GHSA-9qr9-h5gf-34mp] Next.js is vulnerable to RCE in React flight protocol#6521
yusuke-koyoshi wants to merge 1 commit intoyusuke-koyoshi/advisory-improvement-6521from
yusuke-koyoshi-GHSA-9qr9-h5gf-34mp

Conversation

@yusuke-koyoshi
Copy link

@yusuke-koyoshi yusuke-koyoshi commented Dec 9, 2025

Updates

  • Description

Comments
Although CVE-2025-66478 has been rejected and the CVE-ID for GHSA-9qr9-h5gf-34mp has been removed, it is believed that the CVE-ID should be linked to CVE-2025-55182.
This is because the Next.js CPE is associated with CVE-2025-55182.
https://nvd.nist.gov/vuln/detail/CVE-2025-55182

@github
Copy link
Collaborator

github commented Dec 9, 2025

Hi there @aaronbrown-vercel! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

Copilot AI review requested due to automatic review settings December 9, 2025 14:30
@github-actions github-actions bot changed the base branch from main to yusuke-koyoshi/advisory-improvement-6521 December 9, 2025 14:31
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates a GitHub security advisory (GHSA-9qr9-h5gf-34mp) for a Next.js vulnerability. The change removes the reference to the rejected CVE-2025-66478 from the details section, as it should instead be linked to CVE-2025-55182. The PR also reorders version ranges in the affected packages section.

Key changes:

  • Removed CVE-2025-66478 reference from the vulnerability description
  • Updated the modified timestamp to reflect the change
  • Reordered version ranges for the affected Next.js packages
Comments suppressed due to low confidence (1)

advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json:148

  • The version ranges are not in sequential order. After the reordering, ranges 6 and 7 (15.1.x and 15.5.x) are out of sequence. The correct order should be:
  1. 14.3.0-canary.77 to 15.0.5
  2. 15.1.0-canary.0 to 15.1.9
  3. 15.2.0-canary.0 to 15.2.6
  4. 15.3.0-canary.0 to 15.3.6
  5. 15.4.0-canary.0 to 15.4.8
  6. 15.5.0-canary.0 to 15.5.7
  7. 16.0.0-canary.0 to 16.0.7

This makes the advisory harder to read and maintain.

    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.2.0-canary.0"
            },
            {
              "fixed": "15.2.6"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.3.0-canary.0"
            },
            {
              "fixed": "15.3.6"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.4.0-canary.0"
            },
            {
              "fixed": "15.4.8"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "16.0.0-canary.0"
            },
            {
              "fixed": "16.0.7"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.1.0-canary.0"
            },
            {
              "fixed": "15.1.9"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.5.0-canary.0"
            },
            {
              "fixed": "15.5.7"
            }
          ]
        }
      ]
    }

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@shelbyc
Copy link
Contributor

shelbyc commented Dec 9, 2025

Hi @yusuke-koyoshi, thank you for your feedback about the use of CVE-2025-55182 vs. CVE-2025-66478 in GHSA-9qr9-h5gf-34mp. Your feedback reflects feedback that I've received from other vulnerability management professionals.

GitHub rejected CVE-2025-66478 in order to comply with the CVE CNA rules, specifically rule 4.1.12:

4.1.12 The act of updating Product dependencies MUST NOT be determined to be a Vulnerability, regardless of whether the dependencies have Vulnerabilities. For example, updating a library to address a Vulnerability in that library MUST NOT be determined to be a new Vulnerability in a Product that uses the library, and a Vulnerability advisory for the Product SHOULD reference the CVE ID for the Vulnerability in the library.

Therefore, according to the rules, packages that depend on a piece of software that is affected by CVE-2025-55182 should also use CVE-2025-55182.

@yusuke-koyoshi
Copy link
Author

yusuke-koyoshi commented Dec 9, 2025

Therefore, according to the rules, packages that depend on a piece of software that is affected by GHSA-fv66-9v8q-g76r should also use GHSA-fv66-9v8q-g76r.

That's right.
When I created this PR from the wizard, I was unable to edit the CVE-ID, so I think it would be a good idea to change the CVE-ID to CVE-2025-55182 and merge it.

@shelbyc
Copy link
Contributor

shelbyc commented Dec 9, 2025

@yusuke-koyoshi Another member of the community made this suggestion over the weekend, and I explained why CVE-2025-55182 can't be added as an alias to GHSA-9qr9-h5gf-34mp here: #6496 (comment)

CVE-2025-55182 is already attached to GHSA-fv66-9v8q-g76r in the database backend, and a CVE can only be attached to one GHSA at a time. GHSA-fv66-9v8q-g76r is the most "upstream" GHSA, so CVE-2025-55182 is attached to that advisory. I tried to establish the relationship between GHSA-9qr9-h5gf-34mp and CVE-2025-55182 as well as I could by adding https://nvd.nist.gov/vuln/detail/CVE-2025-55182 to the list of references in the global advisory.

@yusuke-koyoshi
Copy link
Author

yusuke-koyoshi commented Dec 10, 2025

@shelbyc

GHSA-fv66-9v8q-g76r is already attached to GHSA-fv66-9v8q-g76r in the database backend, and a CVE can only be attached to one GHSA at a time.

got it. This PR will be closed.

@github-actions github-actions bot deleted the yusuke-koyoshi-GHSA-9qr9-h5gf-34mp branch December 10, 2025 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yusuke-koyoshi @github @shelbyc