Skip to content

Commit ed67c7c

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-c6m7-q6pr-c64r GHSA-cpqf-f22c-r95x
1 parent ba55f59 commit ed67c7c

File tree

2 files changed

+124
-0
lines changed

2 files changed

+124
-0
lines changed

advisories/github-reviewed/2025/12/GHSA-c6m7-q6pr-c64r/GHSA-c6m7-q6pr-c64r.json

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-c6m7-q6pr-c64r",
4+
"modified": "2025-12-12T16:41:58Z",
5+
"published": "2025-12-12T16:41:58Z",
6+
"aliases": [],
7+
"summary": "Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components",
8+
"details": "### Impact\n\n`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.3. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4\n\n### Patches\n\nUpgrade immediately to `@vitejs/[email protected]` or later.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "@vitejs/plugin-rsc"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "0.5.7"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 0.5.6"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/facebook/react/security/advisories/GHSA-925w-6v3x-g4j4"
43+
},
44+
{
45+
"type": "WEB",
46+
"url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-c6m7-q6pr-c64r"
47+
},
48+
{
49+
"type": "PACKAGE",
50+
"url": "https://github.com/vitejs/vite-plugin-react"
51+
}
52+
],
53+
"database_specific": {
54+
"cwe_ids": [
55+
"CWE-1395",
56+
"CWE-497",
57+
"CWE-502"
58+
],
59+
"severity": "MODERATE",
60+
"github_reviewed": true,
61+
"github_reviewed_at": "2025-12-12T16:41:58Z",
62+
"nvd_published_at": null
63+
}
64+
}

advisories/github-reviewed/2025/12/GHSA-cpqf-f22c-r95x/GHSA-cpqf-f22c-r95x.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-cpqf-f22c-r95x",
4+
"modified": "2025-12-12T16:41:08Z",
5+
"published": "2025-12-12T16:41:08Z",
6+
"aliases": [],
7+
"summary": "Vite Plugin React has a Denial of Service Vulnerability in React Server Components",
8+
"details": "### Impact\n\n`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.3. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-7gmr-mq3h-m5h9\n\n### Patches\n\nUpgrade immediately to `@vitejs/[email protected]` or later.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "@vitejs/plugin-rsc"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "0.5.7"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 0.5.6"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-cpqf-f22c-r95x"
43+
},
44+
{
45+
"type": "PACKAGE",
46+
"url": "https://github.com/vitejs/vite-plugin-react"
47+
}
48+
],
49+
"database_specific": {
50+
"cwe_ids": [
51+
"CWE-1395",
52+
"CWE-400",
53+
"CWE-502"
54+
],
55+
"severity": "HIGH",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2025-12-12T16:41:08Z",
58+
"nvd_published_at": null
59+
}
60+
}

0 commit comments

Comments
 (0)