Vulnerability DatabaseGHSA-9qr9-h5gf-34mp

GHSA-9qr9-h5gf-34mp:
Next.js vulnerability analysis and mitigation

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182. Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+ The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76. All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately. ¹ The affected React packages are:

react-server-dom-parcel
react-server-dom-turbopack
react-server-dom-webpack

Source: NVD

Related Next.js vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-5j59-xgg2-r9c4	HIGH	7.5	Next.js	next	No	Yes	Dec 12, 2025
CVE-2025-67779	HIGH	7.5	React Server Components	react-server-dom-webpack	No	Yes	Dec 12, 2025
GHSA-mwv6-3258-q52c	HIGH	7.5	Next.js	next	No	Yes	Dec 11, 2025
CVE-2025-55184	HIGH	7.5	React Server Components	next	No	Yes	Dec 11, 2025
GHSA-w37m-7fhw-fmv9	MEDIUM	5.3	Next.js	next	No	Yes	Dec 11, 2025