|
| 1 | +{ |
| 2 | + "document": { |
| 3 | + "category": "csaf_vex", |
| 4 | + "csaf_version": "2.0", |
| 5 | + "distribution": { |
| 6 | + "tlp": { |
| 7 | + "label": "WHITE", |
| 8 | + "url": "https://www.first.org/tlp/v1/" |
| 9 | + } |
| 10 | + }, |
| 11 | + "lang": "en", |
| 12 | + "publisher": { |
| 13 | + "category": "vendor", |
| 14 | + "contact_details": "See contact points at https://github.com/ISDuBA", |
| 15 | + "name": "ISDuBA Dev team", |
| 16 | + "namespace": "https://github.com/ISDuBA" |
| 17 | + }, |
| 18 | + "references": [ |
| 19 | + { |
| 20 | + "category": "self", |
| 21 | + "summary": "ISDuBA-2025-02", |
| 22 | + "url": "https://isduba.github.io/.well-known/csaf/white/2025/isduba-2025-02.json" |
| 23 | + } |
| 24 | + ], |
| 25 | + "title": "does not integrate React Server Components", |
| 26 | + "tracking": { |
| 27 | + "current_release_date": "2025-12-12T16:20:00.000Z", |
| 28 | + "id": "isduba-2025-02", |
| 29 | + "initial_release_date": "2025-12-12T16:20:00.000Z", |
| 30 | + "revision_history": [ |
| 31 | + { |
| 32 | + "date": "2025-12-12T16:20:00.000Z", |
| 33 | + "number": "1.0.0", |
| 34 | + "summary": "Initial revision" |
| 35 | + } |
| 36 | + ], |
| 37 | + "status": "final", |
| 38 | + "version": "1.0.0" |
| 39 | + } |
| 40 | + }, |
| 41 | + "product_tree": { |
| 42 | + "branches": [ |
| 43 | + { |
| 44 | + "branches": [ |
| 45 | + { |
| 46 | + "branches": [ |
| 47 | + { |
| 48 | + "category": "product_version_range", |
| 49 | + "name": "vers:all/*", |
| 50 | + "product": { |
| 51 | + "name": "ISDuBA all versions", |
| 52 | + "product_id": "isduba-all-versions" |
| 53 | + } |
| 54 | + } |
| 55 | + ], |
| 56 | + "category": "product_name", |
| 57 | + "name": "ISDuBA" |
| 58 | + } |
| 59 | + ], |
| 60 | + "category": "vendor", |
| 61 | + "name": "Isduba Development Community" |
| 62 | + } |
| 63 | + ] |
| 64 | + }, |
| 65 | + "vulnerabilities": [ |
| 66 | + { |
| 67 | + "cve": "CVE-2025-55182", |
| 68 | + "flags": [ |
| 69 | + { |
| 70 | + "label": "component_not_present", |
| 71 | + "product_ids": [ |
| 72 | + "isduba-all-versions" |
| 73 | + ] |
| 74 | + } |
| 75 | + ], |
| 76 | + "notes": [ |
| 77 | + { |
| 78 | + "category": "description", |
| 79 | + "text": "Critical Security Vulnerability in React Server Components\n[..] that allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.\nEven if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.", |
| 80 | + "title": "CVE description" |
| 81 | + } |
| 82 | + ], |
| 83 | + "product_status": { |
| 84 | + "known_not_affected": [ |
| 85 | + "isduba-all-versions" |
| 86 | + ] |
| 87 | + } |
| 88 | + }, |
| 89 | + { |
| 90 | + "cve": "CVE-2025-66478", |
| 91 | + "flags": [ |
| 92 | + { |
| 93 | + "label": "component_not_present", |
| 94 | + "product_ids": [ |
| 95 | + "isduba-all-versions" |
| 96 | + ] |
| 97 | + } |
| 98 | + ], |
| 99 | + "notes": [ |
| 100 | + { |
| 101 | + "category": "description", |
| 102 | + "text": "A critical vulnerability has been identified in the React Server Components (RSC) protocol. The issue is rated CVSS 10.0 and can allow remote code execution when processing attacker-controlled requests in unpatched environments.\nThis vulnerability originates in the upstream React implementation (CVE-2025-55182). This advisory (CVE-2025-66478) tracks the downstream impact on Next.js applications using the App Router.", |
| 103 | + "title": "CVE description" |
| 104 | + } |
| 105 | + ], |
| 106 | + "product_status": { |
| 107 | + "known_not_affected": [ |
| 108 | + "isduba-all-versions" |
| 109 | + ] |
| 110 | + } |
| 111 | + } |
| 112 | + ] |
| 113 | +} |
0 commit comments