Fix patch versions for CVE-2025-55184 #6547
Conversation
See https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components This includes versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of: react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack Fixes were backported to versions 19.0.3, 19.1.4, and 19.2.3.
github-actions
bot
changed the base branch from
main
to
hansott/advisory-improvement-6547
There was a problem hiding this comment.
Pull request overview
This PR corrects the patch version numbers in a security advisory for CVE-2025-55184, a denial of service vulnerability in React Server Components. The advisory initially referenced incorrect fixed versions, and this PR updates them to the actual patched versions as documented in the React security blog post.
Key changes:
- Updated "fixed" version from 19.0.2 to 19.0.3 for the 19.0.x range
- Updated "fixed" version from 19.1.3 to 19.1.4 for the 19.1.x range
- Updated "fixed" version from 19.2.2 to 19.2.3 for the 19.2.x range
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
👋 Hi @hansott, I'm going to keep this advisory's vulnerable and affected versions the way they currently are because GHSA-2m3v-v2m8-q956 addresses the initial fix and a follow-up advisory, GHSA-7gmr-mq3h-m5h9, addresses the completed fix and updated patched versions. Thank you for your interest in GHSA-2m3v-v2m8-q956. |
2 participants
See https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
This includes versions 19.0.0, 19.0.1, 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.1.2, 19.2.0, 19.2.1 and 19.2.2 of:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Fixes were backported to versions 19.0.3, 19.1.4, and 19.2.3.