Skip to content

chore(deps): update react and next (CVE-2025-55182) #6528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bottarocarlo wants to merge 2 commits into
base: bottarocarlo/advisory-improvement-6528
Choose a base branch
from
Open

chore(deps): update react and next (CVE-2025-55182) #6528

bottarocarlo wants to merge 2 commits into from
+184 −0

Conversation

@bottarocarlo
Copy link

@bottarocarlo bottarocarlo commented Dec 10, 2025

This pull request updates the advisory data for GHSA-fv66-9v8q-g76r.json by adding version range information for the affected next and react npm packages. These additions clarify which versions are impacted and when fixes were introduced, improving the accuracy of vulnerability tracking for downstream consumers.

Copilot AI review requested due to automatic review settings December 10, 2025 14:04
@github-actions github-actions bot changed the base branch from main to bottarocarlo/advisory-improvement-6528 December 10, 2025 14:05
Copilot AI reviewed Dec 10, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the GitHub Security Advisory (GHSA-fv66-9v8q-g76r) for CVE-2025-55182 by adding version range information for the next and react npm packages. The advisory tracks a critical RCE vulnerability in React Server Components that affects multiple React packages and Next.js framework versions.

Key Changes:

  • Added 7 version range entries for the next package covering canary and stable releases from 14.3.0-canary.77 through 16.0.7
  • Added 3 version range entries for the react package (19.0.0, 19.1.0, and 19.2.0 series) with corresponding fixes

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Serubin
Copy link

Serubin commented Dec 10, 2025

@bottarocarlo perhaps the existing GHSA for Next should be updated to include the CVE alias - advisories/github-reviewed/2025/12/GHSA-9qr9-h5gf-34mp/GHSA-9qr9-h5gf-34mp.json?

@bottarocarlo
Copy link
Author

bottarocarlo commented Dec 10, 2025

@Serubin this was my initial though #6524 but as per comment #6496 (comment) the cveid cannot be added there

@Serubin
Copy link

Serubin commented Dec 10, 2025

@bottarocarlo makes sense. You may need to clean up the style issues from Copilot before this gets merged. I would also recommend removing/rejecting the old GHSA as a part of this PR or an immediate follow-up.

@shelbyc
Copy link
Contributor

shelbyc commented Dec 10, 2025

@bottarocarlo I have a question about the scanning tool you're using and other advisories about CVE-2025-55182, such as GHSA-fmh4-wr37-44fp. The global advisory for GHSA-fmh4-wr37-44fp doesn't have CVE-2025-55182 attached because CVE-2025-55182 is already attached to GHSA-fv66-9v8q-g76r, but the repository advisory for GHSA-fmh4-wr37-44fp lists CVE-2025-55182 as the CVE ID. Would your tool pick up the information from GHSA-9qr9-h5gf-34mp if the repository advisory listed CVE-2025-55182 as the CVE ID?

@Serubin
Copy link

Serubin commented Dec 10, 2025

@shelbyc, the issue is that GHSA-9qr9-h5gf-34mp doesn't have the correct CVE attached. Scanners may pick up GHSA-9qr9-h5gf-34mp and alert on it, but we cannot determine the canonical ID (CVE) associated with GHSA-9qr9-h5gf-34mp.

Either the next versions affected by CVE-2025-55182 should be added to GHSA-fv66-9v8q-g76r, or CVE-2025-55182 needs to be associated as an alias on GHSA-9qr9-h5gf-34mp (but I understand there is a technical limitation here).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bottarocarlo @Serubin @shelbyc