[GHSA-fv66-9v8q-g76r] React Server Components are Vulnerable to RCE

[nozo-moto]

Updates

• Affected products

Comments
CVE-2025-66478 seems archived.
https://www.cve.org/CVERecord?id=CVE-2025-66478

The Next.js fixed number was only listed in CVE-2025-66478's advisory, so please merge them here to detect Next.js's vulnerabilities.
GHSA-9qr9-h5gf-34mp

[github]

Hi there @zpao! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

This PR adds Next.js package vulnerability information to the React Server Components RCE advisory (GHSA-fv66-9v8q-g76r) by merging data from an archived CVE (CVE-2025-66478). The change expands the affected products list to include multiple Next.js version ranges.

Key changes:

• Adds seven Next.js package entries covering various vulnerable version ranges
• Updates the modification timestamp to reflect the change

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[zpao]

Hmm, I don't believe that we should include the Next versions in React's report. There are any number of downstream packages which could be impacted - for example Vite also published their own advisory (GHSA-fmh4-wr37-44fp) without a new CVE.

[advisory-database]

Hi @nozo-moto! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!