[GHSA-5f7q-jpqc-wp7h] Next.js has Unbounded Memory Consumption via PPR Resume Endpoint #6740
Conversation
|
Hi there @andresriancho! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull request overview
This PR updates the Next.js security advisory GHSA-5f7q-jpqc-wp7h to reflect accurate version information for CVE-2025-59472, which addresses unbounded memory consumption via the PPR Resume Endpoint.
Changes:
- Corrected the vulnerable version range to start from 15.6.0-canary.0 instead of 15.0.0-canary.0
- Updated the fixed versions to include stable releases 15.5.10 and 15.5.11 in addition to the canary version
- Added database-specific metadata to clarify the last known affected version range
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| "fixed": "15.6.0-canary.61" | ||
| "fixed": "15.6.0-canary.61, 15.5.10, 15.5.11" |
There was a problem hiding this comment.
The 'fixed' field should contain a single version string, not a comma-separated list. According to standard advisory schemas, multiple fixed versions should be represented as separate event objects with their own 'fixed' fields within the events array.
| "fixed": "15.6.0-canary.61, 15.5.10, 15.5.11" | |
| "fixed": "15.6.0-canary.61" | |
| }, | |
| { | |
| "fixed": "15.5.10" | |
| }, | |
| { | |
| "fixed": "15.5.11" |
| "events": [ | ||
| { | ||
| "introduced": "15.0.0-canary.0" | ||
| "introduced": "15.6.0-canary.0" |
There was a problem hiding this comment.
The introduced version '15.6.0-canary.0' appears inconsistent with the stable fixed versions '15.5.10' and '15.5.11'. If versions 15.5.10 and 15.5.11 contain fixes, the vulnerability must have been introduced before 15.5.10, not at 15.6.0-canary.0. This suggests the version range is incorrect.
github-actions
bot
changed the base branch from
main
to
xivanku/advisory-improvement-6740
|
I sent another suggestion to include the fixed versions. |
Updates
Comments
According to Vercel NextJS v15.5.10, and v15.5.11 already contains a patch against these vulnerabilities
https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
https://www.cve.org/CVERecord?id=CVE-2025-59472