GHSA-w37m-7fhw-fmv9

Source

https://github.com/advisories/GHSA-w37m-7fhw-fmv9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-w37m-7fhw-fmv9/GHSA-w37m-7fhw-fmv9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-w37m-7fhw-fmv9

Published

2025-12-11T22:49:56Z

Modified

2025-12-11T23:01:31.126560Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Next Server Actions Source Code Exposure

Details

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-1395",
        "CWE-497",
        "CWE-502"
    ],
    "github_reviewed_at": "2025-12-11T22:49:56Z",
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

npm

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.0.0-canary.0

Fixed

15.0.6

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.1.1-canary.0

Fixed

15.1.10

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.2.0-canary.0

Fixed

15.2.7

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.3.0-canary.0

Fixed

15.3.7

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.4.0-canary.0

Fixed

15.4.9

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.5.1-canary.0

Fixed

15.5.8

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

15.6.0-canary.0

Fixed

15.6.0-canary.59

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

16.0.0-beta.0

Fixed

16.0.9

Package

Name: next; View open source insights on deps.dev
Purl: pkg:npm/next

Affected ranges

Type: SEMVER
Events: Introduced

16.1.0-canary.0

Fixed

16.1.0-canary.17

GHSA-w37m-7fhw-fmv9

Affected packages

npm

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges

next

Package

Affected ranges