Consider marking npm's next as a directly affected (downstream) package for CVE-2025-55183 / CVE-2025-55184 #4485
Description
I'd like to raise a modeling question regarding CVE-2025-55183 and CVE-2025-55184, currently associated with the upstream React RSC packages (react-server-dom-*).
In practice, Next.js is affected even when those packages do not appear as npm dependencies, because Next copies the React Server Components implementation directly into the next package itself (under next/dist/compiled). This means the vulnerable code is physically present and executed from next, rather than being consumed via a standard npm dependency relationship.
The official Next.js advisory explicitly states that:
“These vulnerabilities originate in the upstream React implementation… This advisory tracks the downstream impact on Next.js applications using the App Router.”
https://nextjs.org/blog/security-update-2025-12-11
Next.js addressed these issues by backporting the upstream React fixes into its own vendored code, not by bumping an npm dependency. As a result:
- Applications may be vulnerable even if no react-server-dom-* package exists in the dependency graph
- The only actionable remediation is upgrading next
- SCA/SBOM tools that rely solely on dependency graphs may miss or misattribute the risk
Given this, we wanted to ask whether it would make sense for OSV to also list next as a directly affected downstream package for:
This would more accurately reflect runtime reality and help downstream tooling correctly identify and remediate affected applications.
Thanks for considering!