GHSA-9qr9-h5gf-34mp

Source

https://github.com/advisories/GHSA-9qr9-h5gf-34mp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9qr9-h5gf-34mp

Related

CGA-3qrq-jr55-42fv

Published

2025-12-03T19:07:11Z

Modified

2025-12-08T21:51:52.010482Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Next.js is vulnerable to RCE in React flight protocol

Details

A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

<sup>1</sup> The affected React packages are: - react-server-dom-parcel - react-server-dom-turbopack - react-server-dom-webpack

Database specific

{
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed_at": "2025-12-03T19:07:11Z",
    "nvd_published_at": "2025-12-03T18:15:47Z",
    "github_reviewed": true
}

References

Affected packages

npm

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

14.3.0-canary.77

Fixed

15.0.5

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.1.0-canary.0

Fixed

15.1.9

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.2.0-canary.0

Fixed

15.2.6

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.3.0-canary.0

Fixed

15.3.6

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.4.0-canary.0

Fixed

15.4.8

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.5.0-canary.0

Fixed

15.5.7

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

16.0.0-canary.0

Fixed

16.0.7

GHSA-9qr9-h5gf-34mp

Affected packages

npm

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges