Merge pull request #46 from vishal-s-b/master

Add OSG-SEC-2025-12-04

Author: vishal-s-b

docs/OSGSecurityAnnouncements.md

@@ -1,5 +1,6 @@
 | Date        | Title                                                 | Contents/Link       |   Risk        |
 |-------------|-------------------------------------------------------|---------------------|---------------|
+| 2025-12-04  | CRITICAL React Server Components Vulnerability (CVE-2025-55182) | [OSG-SEC-2025-12-04](./vulns/OSG-SEC-2025-12-04.md) |     |
 | 2025-09-11  | linux-kernel: CRITICAL risk vulnerability allowing local privilege escalation,CVE-2025-38352 | [OSG-SEC-2025-09-11](./vulns/OSG-SEC-2025-09-11.md) |     |
 | 2025-09-04  | linux-pam: Incomplete fix for CVE-2025-6020 (CVE-2025-8941) | [OSG-SEC-2025-09-04](./vulns/OSG-SEC-2025-09-04.md) |     |
 | 2024-12-05  | Stack based buffer overflow detected in XRootD 5.7.x | [OSG-SEC-2024-12-05](./vulns/OSG-SEC-2024-12-05-Stack-based-buffer-overflow-detected-in-XRootD-5.7.x.md) |     |

docs/vulns/OSG-SEC-2025-12-04.md

@@ -0,0 +1,50 @@
+# OSG-SEC-2025-12-04 CRITICAL React Server Components Vulnerability (CVE-2025-55182)
+
+Dear OSG Security Contacts,
+
+A pre-authentication remote code execution vulnerability exists in React Server Components. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
+
+## IMPACTED VERSIONS:
+
+19.0.0,
+19.1.0,
+19.1.1,
+19.2.0,
+
+
+## Affected Packages
+
+react-server-dom-parcel,
+react-server-dom-turbopack,
+react-server-dom-webpack,
+
+
+
+## WHAT IS THE VULNERABILITY:
+
+The vulnerability stems from unsafe deserialization logic used by React Server Components. An attacker can send a maliciously crafted serialized payload in an HTTP request to a Server Function endpoint. When React deserializes this payload, it may create unintended objects or trigger unexpected execution paths, enabling pre-authentication remote code execution on the server.
+This vulnerability does not affect client-side React applications, and only impacts applications that use React Server Components on the server.
+## Impact
+An unauthenticated remote attacker could:
+Execute arbitrary code on the server
+Access or manipulate data processed by server-side React functions
+Compromise the hosting environment
+Potentially pivot deeper into infrastructure
+
+
+Because this vulnerability requires no authentication and may be reachable through public endpoints, it is considered Critical.
+## WHAT YOU SHOULD DO:
+Patched versions have been released. All users of the affected packages must upgrade immediately.
+19.0.1,
+19.1.2,
+19.2.1,
+Additionally, if you are a user of a React based component such as Next.js, React Router, Expo, Redwood SDK, or Waku, please check the react.dev link below for upgrade instructions.
+## REFERENCES
+[1] https://nvd.nist.gov/vuln/detail/CVE-2025-55182
+
+[2] https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
+
+
+Please contact the OSG security team at security@osg-htc.org if you have any questions or concerns.
+
+OSG Security Team

mkdocs.yml

@@ -12,6 +12,7 @@ nav:
   - Overview: 'OSGSecurityAnnouncements.md'
   - Overview x86 vulnerabilities: 'OSGSecurityAnnouncements-x86.md'
 - Announcement Details:
+    - OSG-SEC-2025-12-04 CRITICAL React Server Components Vulnerability (CVE-2025-55182): './vulns/OSG-SEC-2025-12-04.md'
     - OSG-SEC-2025-09-11 linux-kernel- CRITICAL risk vulnerability allowing local privilege escalation,CVE-2025-38352: './vulns/OSG-SEC-2025-09-11.md'
     - OSG-SEC-2025-09-04 Linux pam Incomplete fix for CVE-2025-6020 (CVE-2025-8941): './vulns/OSG-SEC-2025-09-04.md'
     - OSG-SEC-2024-12-05 Stack based buffer overflow detected in XRootD-5.7.x: './vulns/OSG-SEC-2024-12-05-Stack-based-buffer-overflow-detected-in-XRootD-5.7.x.md'