GHSA-mwv6-3258-q52c

Source

https://github.com/advisories/GHSA-mwv6-3258-q52c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mwv6-3258-q52c

Related

CGA-3575-p24r-qcp7

Published

2025-12-11T22:49:27Z

Modified

2026-02-04T03:55:54.855562Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Next Vulnerable to Denial of Service with Server Components

Details

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2025-12-11T22:49:27Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-1395",
        "CWE-400",
        "CWE-502"
    ],
    "github_reviewed": true
}

References

Affected packages

npm

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

13.3.0

Fixed

14.2.34

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.0.0-canary.0

Fixed

15.0.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.1.1-canary.0

Fixed

15.1.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.2.0-canary.0

Fixed

15.2.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.3.0-canary.0

Fixed

15.3.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.4.0-canary.0

Fixed

15.4.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.5.1-canary.0

Fixed

15.5.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.6.0-canary.0

Fixed

15.6.0-canary.59

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

16.0.0-beta.0

Fixed

16.0.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

16.1.0-canary.0

Fixed

16.1.0-canary.17

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json"

GHSA-mwv6-3258-q52c

Affected packages

Package

Affected ranges

Database specific

Package

Affected ranges

Database specific

Package

Affected ranges

Database specific

Package

Affected ranges

Database specific

Package

Affected ranges

Database specific

Package

Affected ranges

Database specific

Package

Affected ranges

Database specific

Package

Affected ranges

Database specific

Package

Affected ranges

Database specific

Package

Affected ranges

Database specific