Skip to content

Commit 329fe19

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-mwv6-3258-q52c GHSA-w37m-7fhw-fmv9
1 parent e8a3e76 commit 329fe19

File tree

2 files changed

+453
-0
lines changed

2 files changed

+453
-0
lines changed

advisories/github-reviewed/2025/12/GHSA-mwv6-3258-q52c/GHSA-mwv6-3258-q52c.json

Lines changed: 236 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,236 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mwv6-3258-q52c",
4+
"modified": "2025-12-11T22:49:28Z",
5+
"published": "2025-12-11T22:49:27Z",
6+
"aliases": [],
7+
"summary": "Next Vulnerable to Denial of Service with Server Components",
8+
"details": "A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).\n\nA malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "next"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "13.3.0"
27+
},
28+
{
29+
"fixed": "14.2.34"
30+
}
31+
]
32+
}
33+
]
34+
},
35+
{
36+
"package": {
37+
"ecosystem": "npm",
38+
"name": "next"
39+
},
40+
"ranges": [
41+
{
42+
"type": "ECOSYSTEM",
43+
"events": [
44+
{
45+
"introduced": "15.0.0-canary.0"
46+
},
47+
{
48+
"fixed": "15.0.6"
49+
}
50+
]
51+
}
52+
]
53+
},
54+
{
55+
"package": {
56+
"ecosystem": "npm",
57+
"name": "next"
58+
},
59+
"ranges": [
60+
{
61+
"type": "ECOSYSTEM",
62+
"events": [
63+
{
64+
"introduced": "15.1.1-canary.0"
65+
},
66+
{
67+
"fixed": "15.1.10"
68+
}
69+
]
70+
}
71+
]
72+
},
73+
{
74+
"package": {
75+
"ecosystem": "npm",
76+
"name": "next"
77+
},
78+
"ranges": [
79+
{
80+
"type": "ECOSYSTEM",
81+
"events": [
82+
{
83+
"introduced": "15.2.0-canary.0"
84+
},
85+
{
86+
"fixed": "15.2.7"
87+
}
88+
]
89+
}
90+
]
91+
},
92+
{
93+
"package": {
94+
"ecosystem": "npm",
95+
"name": "next"
96+
},
97+
"ranges": [
98+
{
99+
"type": "ECOSYSTEM",
100+
"events": [
101+
{
102+
"introduced": "15.3.0-canary.0"
103+
},
104+
{
105+
"fixed": "15.3.7"
106+
}
107+
]
108+
}
109+
]
110+
},
111+
{
112+
"package": {
113+
"ecosystem": "npm",
114+
"name": "next"
115+
},
116+
"ranges": [
117+
{
118+
"type": "ECOSYSTEM",
119+
"events": [
120+
{
121+
"introduced": "15.4.0-canary.0"
122+
},
123+
{
124+
"fixed": "15.4.9"
125+
}
126+
]
127+
}
128+
]
129+
},
130+
{
131+
"package": {
132+
"ecosystem": "npm",
133+
"name": "next"
134+
},
135+
"ranges": [
136+
{
137+
"type": "ECOSYSTEM",
138+
"events": [
139+
{
140+
"introduced": "15.5.1-canary.0"
141+
},
142+
{
143+
"fixed": "15.5.8"
144+
}
145+
]
146+
}
147+
]
148+
},
149+
{
150+
"package": {
151+
"ecosystem": "npm",
152+
"name": "next"
153+
},
154+
"ranges": [
155+
{
156+
"type": "ECOSYSTEM",
157+
"events": [
158+
{
159+
"introduced": "15.6.0-canary.0"
160+
},
161+
{
162+
"fixed": "15.6.0-canary.59"
163+
}
164+
]
165+
}
166+
]
167+
},
168+
{
169+
"package": {
170+
"ecosystem": "npm",
171+
"name": "next"
172+
},
173+
"ranges": [
174+
{
175+
"type": "ECOSYSTEM",
176+
"events": [
177+
{
178+
"introduced": "16.0.0-beta.0"
179+
},
180+
{
181+
"fixed": "16.0.9"
182+
}
183+
]
184+
}
185+
]
186+
},
187+
{
188+
"package": {
189+
"ecosystem": "npm",
190+
"name": "next"
191+
},
192+
"ranges": [
193+
{
194+
"type": "ECOSYSTEM",
195+
"events": [
196+
{
197+
"introduced": "16.1.0-canary.0"
198+
},
199+
{
200+
"fixed": "16.1.0-canary.17"
201+
}
202+
]
203+
}
204+
]
205+
}
206+
],
207+
"references": [
208+
{
209+
"type": "WEB",
210+
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c"
211+
},
212+
{
213+
"type": "PACKAGE",
214+
"url": "https://github.com/vercel/next.js"
215+
},
216+
{
217+
"type": "WEB",
218+
"url": "https://nextjs.org/blog/security-update-2025-12-11"
219+
},
220+
{
221+
"type": "WEB",
222+
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55184"
223+
}
224+
],
225+
"database_specific": {
226+
"cwe_ids": [
227+
"CWE-1395",
228+
"CWE-400",
229+
"CWE-502"
230+
],
231+
"severity": "HIGH",
232+
"github_reviewed": true,
233+
"github_reviewed_at": "2025-12-11T22:49:27Z",
234+
"nvd_published_at": null
235+
}
236+
}

0 commit comments

Comments
 (0)