[GHSA-9qr9-h5gf-34mp] Next.js is vulnerable to RCE in React flight protocol

[yusuke-koyoshi]

Updates

• Description

Comments
Although CVE-2025-66478 has been rejected and the CVE-ID for GHSA-9qr9-h5gf-34mp has been removed, it is believed that the CVE-ID should be linked to CVE-2025-55182.
This is because the Next.js CPE is associated with CVE-2025-55182.
https://nvd.nist.gov/vuln/detail/CVE-2025-55182

[github]

Hi there @aaronbrown-vercel! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

This PR updates a GitHub security advisory (GHSA-9qr9-h5gf-34mp) for a Next.js vulnerability. The change removes the reference to the rejected CVE-2025-66478 from the details section, as it should instead be linked to CVE-2025-55182. The PR also reorders version ranges in the affected packages section.

Key changes:

• Removed CVE-2025-66478 reference from the vulnerability description
• Updated the modified timestamp to reflect the change
• Reordered version ranges for the affected Next.js packages

Comments suppressed due to low confidence (1)

advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json:148

• The version ranges are not in sequential order. After the reordering, ranges 6 and 7 (15.1.x and 15.5.x) are out of sequence. The correct order should be:

1. 14.3.0-canary.77 to 15.0.5
2. 15.1.0-canary.0 to 15.1.9
3. 15.2.0-canary.0 to 15.2.6
4. 15.3.0-canary.0 to 15.3.6
5. 15.4.0-canary.0 to 15.4.8
6. 15.5.0-canary.0 to 15.5.7
7. 16.0.0-canary.0 to 16.0.7

This makes the advisory harder to read and maintain.

    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.2.0-canary.0"
            },
            {
              "fixed": "15.2.6"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.3.0-canary.0"
            },
            {
              "fixed": "15.3.6"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.4.0-canary.0"
            },
            {
              "fixed": "15.4.8"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "16.0.0-canary.0"
            },
            {
              "fixed": "16.0.7"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.1.0-canary.0"
            },
            {
              "fixed": "15.1.9"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "15.5.0-canary.0"
            },
            {
              "fixed": "15.5.7"
            }
          ]
        }
      ]
    }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[shelbyc]

Hi @yusuke-koyoshi, thank you for your feedback about the use of CVE-2025-55182 vs. CVE-2025-66478 in GHSA-9qr9-h5gf-34mp. Your feedback reflects feedback that I've received from other vulnerability management professionals.

GitHub rejected CVE-2025-66478 in order to comply with the CVE CNA rules, specifically rule 4.1.12:

4.1.12 The act of updating Product dependencies MUST NOT be determined to be a Vulnerability, regardless of whether the dependencies have Vulnerabilities. For example, updating a library to address a Vulnerability in that library MUST NOT be determined to be a new Vulnerability in a Product that uses the library, and a Vulnerability advisory for the Product SHOULD reference the CVE ID for the Vulnerability in the library.

Therefore, according to the rules, packages that depend on a piece of software that is affected by CVE-2025-55182 should also use CVE-2025-55182.

[yusuke-koyoshi]

Therefore, according to the rules, packages that depend on a piece of software that is affected by GHSA-fv66-9v8q-g76r should also use GHSA-fv66-9v8q-g76r.

That's right.
When I created this PR from the wizard, I was unable to edit the CVE-ID, so I think it would be a good idea to change the CVE-ID to CVE-2025-55182 and merge it.

[shelbyc]

@yusuke-koyoshi Another member of the community made this suggestion over the weekend, and I explained why CVE-2025-55182 can't be added as an alias to GHSA-9qr9-h5gf-34mp here: #6496 (comment)

CVE-2025-55182 is already attached to GHSA-fv66-9v8q-g76r in the database backend, and a CVE can only be attached to one GHSA at a time. GHSA-fv66-9v8q-g76r is the most "upstream" GHSA, so CVE-2025-55182 is attached to that advisory. I tried to establish the relationship between GHSA-9qr9-h5gf-34mp and CVE-2025-55182 as well as I could by adding https://nvd.nist.gov/vuln/detail/CVE-2025-55182 to the list of references in the global advisory.