Skip to content

Commit 56ee222

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 0dbc518 commit 56ee222

File tree

1 file changed

+248
-0
lines changed

1 file changed

+248
-0
lines changed

advisories/github-reviewed/2025/12/GHSA-5j59-xgg2-r9c4/GHSA-5j59-xgg2-r9c4.json

Lines changed: 248 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,248 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5j59-xgg2-r9c4",
4+
"modified": "2025-12-12T17:21:58Z",
5+
"published": "2025-12-12T17:21:57Z",
6+
"aliases": [],
7+
"summary": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up",
8+
"details": "It was found that the fix addressing [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully prevent denial-of-service attacks in all payload types. This affects React package versions 19.0.2, 19.1.3, and 19.2.2 and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).\n\nA malicious HTTP request can be crafted and sent to any Server Function endpoint that, when deserialized, can enter an infinite loop within the React Server Components runtime. This can cause the server process to hang and consume CPU, resulting in denial of service in unpatched environments.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "next"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "13.3.1-canary.0"
27+
},
28+
{
29+
"fixed": "14.2.35"
30+
}
31+
]
32+
}
33+
]
34+
},
35+
{
36+
"package": {
37+
"ecosystem": "npm",
38+
"name": "next"
39+
},
40+
"ranges": [
41+
{
42+
"type": "ECOSYSTEM",
43+
"events": [
44+
{
45+
"introduced": "15.0.6"
46+
},
47+
{
48+
"fixed": "15.0.7"
49+
}
50+
]
51+
}
52+
]
53+
},
54+
{
55+
"package": {
56+
"ecosystem": "npm",
57+
"name": "next"
58+
},
59+
"ranges": [
60+
{
61+
"type": "ECOSYSTEM",
62+
"events": [
63+
{
64+
"introduced": "15.1.10"
65+
},
66+
{
67+
"fixed": "15.1.11"
68+
}
69+
]
70+
}
71+
]
72+
},
73+
{
74+
"package": {
75+
"ecosystem": "npm",
76+
"name": "next"
77+
},
78+
"ranges": [
79+
{
80+
"type": "ECOSYSTEM",
81+
"events": [
82+
{
83+
"introduced": "15.2.7"
84+
},
85+
{
86+
"fixed": "15.2.8"
87+
}
88+
]
89+
}
90+
]
91+
},
92+
{
93+
"package": {
94+
"ecosystem": "npm",
95+
"name": "next"
96+
},
97+
"ranges": [
98+
{
99+
"type": "ECOSYSTEM",
100+
"events": [
101+
{
102+
"introduced": "15.3.7"
103+
},
104+
{
105+
"fixed": "15.3.8"
106+
}
107+
]
108+
}
109+
]
110+
},
111+
{
112+
"package": {
113+
"ecosystem": "npm",
114+
"name": "next"
115+
},
116+
"ranges": [
117+
{
118+
"type": "ECOSYSTEM",
119+
"events": [
120+
{
121+
"introduced": "15.4.9"
122+
},
123+
{
124+
"fixed": "15.4.10"
125+
}
126+
]
127+
}
128+
]
129+
},
130+
{
131+
"package": {
132+
"ecosystem": "npm",
133+
"name": "next"
134+
},
135+
"ranges": [
136+
{
137+
"type": "ECOSYSTEM",
138+
"events": [
139+
{
140+
"introduced": "15.5.8"
141+
},
142+
{
143+
"fixed": "15.5.9"
144+
}
145+
]
146+
}
147+
]
148+
},
149+
{
150+
"package": {
151+
"ecosystem": "npm",
152+
"name": "next"
153+
},
154+
"ranges": [
155+
{
156+
"type": "ECOSYSTEM",
157+
"events": [
158+
{
159+
"introduced": "15.6.0-canary.59"
160+
},
161+
{
162+
"fixed": "15.6.0-canary.60"
163+
}
164+
]
165+
}
166+
]
167+
},
168+
{
169+
"package": {
170+
"ecosystem": "npm",
171+
"name": "next"
172+
},
173+
"ranges": [
174+
{
175+
"type": "ECOSYSTEM",
176+
"events": [
177+
{
178+
"introduced": "16.0.9"
179+
},
180+
{
181+
"fixed": "16.0.10"
182+
}
183+
]
184+
}
185+
]
186+
},
187+
{
188+
"package": {
189+
"ecosystem": "npm",
190+
"name": "next"
191+
},
192+
"ranges": [
193+
{
194+
"type": "ECOSYSTEM",
195+
"events": [
196+
{
197+
"introduced": "16.1.0-canary.17"
198+
},
199+
{
200+
"fixed": "16.1.0-canary.19"
201+
}
202+
]
203+
}
204+
]
205+
}
206+
],
207+
"references": [
208+
{
209+
"type": "WEB",
210+
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4"
211+
},
212+
{
213+
"type": "ADVISORY",
214+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67779"
215+
},
216+
{
217+
"type": "PACKAGE",
218+
"url": "https://github.com/vercel/next.js"
219+
},
220+
{
221+
"type": "WEB",
222+
"url": "https://nextjs.org/blog/security-update-2025-12-11"
223+
},
224+
{
225+
"type": "WEB",
226+
"url": "https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components"
227+
},
228+
{
229+
"type": "WEB",
230+
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55184"
231+
},
232+
{
233+
"type": "WEB",
234+
"url": "https://www.facebook.com/security/advisories/cve-2025-67779"
235+
}
236+
],
237+
"database_specific": {
238+
"cwe_ids": [
239+
"CWE-1395",
240+
"CWE-400",
241+
"CWE-502"
242+
],
243+
"severity": "HIGH",
244+
"github_reviewed": true,
245+
"github_reviewed_at": "2025-12-12T17:21:57Z",
246+
"nvd_published_at": "2025-12-12T00:15:46Z"
247+
}
248+
}

0 commit comments

Comments
 (0)