Add CVE-2025-55182 alias to GHSA-9qr9-h5gf-34mp#6524
Add CVE-2025-55182 alias to GHSA-9qr9-h5gf-34mp#6524bottarocarlo wants to merge 2 commits intogithub:bottarocarlo/advisory-improvement-6524from
Conversation
Add CVE alias for GHSA-9qr9-h5gf-34mp advisory.
github-actions
bot
changed the base branch from
main
to
bottarocarlo/advisory-improvement-6524
There was a problem hiding this comment.
Pull request overview
This PR adds CVE-2025-55182 as an alias to GitHub Security Advisory GHSA-9qr9-h5gf-34mp, which tracks a critical Remote Code Execution vulnerability in Next.js's React flight protocol. The CVE was already referenced in the advisory's details and references sections, and this change properly includes it in the structured aliases array for improved vulnerability tracking and cross-referencing.
Key Changes:
- Added CVE-2025-55182 to the aliases array in the advisory JSON schema
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hi @shelbyc , I saw your comment #6496 (comment) The missing CVE is causing some false negatives in various vulnerability scanning tools. As an alternative, should we add next and reactjs to GHSA-fv66-9v8q-g76r? |
Added multiple vulnerability ranges for 'next' and 'react' packages in the advisory.
Added CVE-2025-55182 as an alias to the GitHub Security Advisory GHSA-9qr9-h5gf-34mp to link the upstream React Server Components vulnerability with the downstream Next.js App Router advisory. This ensures vulnerability tracking tools and audits can reference both identifiers consistently.