[WIP] Fix critical RCE vulnerabilities in dependencies

[Copilot]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

Original prompt

🔒 CRITICAL SECURITY PATCH - DUAL VULNERABILITIES

Critical Vulnerabilities to Fix

This repository is vulnerable to TWO critical RCE vulnerabilities:

1. CVE-2025-66478 - Next.js Server Actions RCE
2. CVE-2025-55182 - React2Shell vulnerability

Current Versions

• Next.js: ^15.3.4 ❌ VULNERABLE to CVE-2025-66478
• React: ^19.1.0 ❌ VULNERABLE to CVE-2025-55182
• React-DOM: ^19.1.0 ❌ VULNERABLE to CVE-2025-55182

Attack Context

An active RCE attack was detected targeting Next.js infrastructure:

• Attacker IP: 5.199.174.151
• Attack Vector: Next.js Server Actions RCE exploit
• Attempted Payload: Remote script execution
• Status: MUST PATCH IMMEDIATELY

Required Changes

1. Update Dependencies in package.json

Update to patched versions:

{
  "dependencies": {
    "next": "^15.5.7",
    "react": "^19.1.2",
    "react-dom": "^19.1.2"
  }
}

2. Add Security Headers in next.config.js

Create or update the Next.js configuration:

/** @type {import('next').NextConfig} */
const nextConfig = {
  async headers() {
    return [
      {
        source: '/:path*',
        headers: [
          {
            key: 'Content-Security-Policy',
            value: [
              "default-src 'self'",
              "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
              "style-src 'self' 'unsafe-inline'",
              "img-src 'self' data: https:",
              "font-src 'self' data:",
              "connect-src 'self' https:",
              "frame-ancestors 'none'",
              "base-uri 'self'",
              "form-action 'self'"
            ].join('; ')
          },
          {
            key: 'X-Frame-Options',
            value: 'DENY'
          },
          {
            key: 'X-Content-Type-Options',
            value: 'nosniff'
          },
          {
            key: 'Referrer-Policy',
            value: 'strict-origin-when-cross-origin'
          },
          {
            key: 'Permissions-Policy',
            value: 'camera=(), microphone=(), geolocation=()'
          }
        ]
      }
    ]
  },
  // Restrict Server Actions to trusted origins
  experimental: {
    serverActions: {
      allowedOrigins: ['electrosage.yourdomain.com'] // Update with your domain
    }
  }
}

module.exports = nextConfig

3. Add Security Middleware in middleware.ts

Create middleware to block suspicious requests:

import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

export function middleware(request: NextRequest) {
  // Block suspicious patterns commonly used in RCE attacks
  const suspiciousPatterns = [
    /eval\(/i,
    /exec\(/i,
    /system\(/i,
    /wget/i,
    /curl/i,
    /bash/i,
    /sh\s+-c/i,
    /__proto__/i,
    /constructor\[/i,
    /process\.env/i
  ]

  const url = request.url.toLowerCase()
  const body = request.body ? request.body.toString().toLowerCase() : ''

  for (const pattern of suspiciousPatterns) {
    if (pattern.test(url) || pattern.test(body)) {
      console.error(`[SECURITY] Blocked suspicious request: ${request.url}`)
      return new NextResponse('Forbidden - Suspicious pattern detected', { status: 403 })
    }
  }

  // Block known malicious User-Agents
  const userAgent = request.headers.get('user-agent') || ''
  const suspiciousAgents = ['wget', 'curl', 'python-requests', 'go-http-client']
  
  if (suspiciousAgents.some(agent => userAgent.toLowerCase().includes(agent))) {
    console.warn(`[SECURITY] Suspicious User-Agent blocked: ${userAgent}`)
    return new NextResponse('Forbidden - Suspicious User-Agent', { status: 403 })
  }

  // Block the specific attacker IP
  const clientIp = request.headers.get('x-forwarded-for') || 
                   request.headers.get('x-real-ip') || 
                   'unknown'
  
  if (clientIp.includes('5.199.174.151')) {
    console.error(`[SECURITY] Blocked known attacker IP: ${clientIp}`)
    return new NextResponse('Forbidden', { status: 403 })
  }

  return NextResponse.next()
}

export const config = {
  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)']
}

4. Add Comprehensive Security Scanning Workflow

Create .github/workflows/security-scan.yml:

name: Security Vulnerability Scan

on:
  push:
    branches: [ main, master ]
  pull_request:
    branches: [ main, master ]
  schedule:
    # Run daily at 2 AM UTC
    - cron: '0 2 * * *'
  workflow_dispatch:

jobs:
  npm-audit:
    name: NPM Security Audit
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'
          
      - name: Install dependencies
        run: npm ci
        
      - name: Run npm audit
        run: |
          npm audit --audit-level=high --json > audit-report.json || true
          cat audit-report.jso...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

*This pull request was created as a result of the following prompt from Copilot chat.*
> # 🔒 CRITICAL SECURITY PATCH - DUAL VULNERABILITIES
> 
> ## Critical Vulnerabilities to Fix
> 
> This repository is vulnerable to **TWO critical RCE vulnerabilities**:
> 1. **CVE-2025-66478** - Next.js Server Actions RCE
> 2. **CVE-2025-55182** - React2Shell vulnerability
> 
> ### Current Versions
> - **Next.js**: `^15.3.4` ❌ VULNERABLE to CVE-2025-66478
> - **React**: `^19.1.0` ❌ VULNERABLE to CVE-2025-55182
> - **React-DOM**: `^19.1.0` ❌ VULNERABLE to CVE-2025-55182
> 
> ### Attack Context
> An active RCE attack was detected targeting Next.js infrastructure:
> - **Attacker IP**: 5.199.174.151
> - **Attack Vector**: Next.js Server Actions RCE exploit
> - **Attempted Payload**: Remote script execution
> - **Status**: MUST PATCH IMMEDIATELY
> 
> ## Required Changes
> 
> ### 1. Update Dependencies in `package.json`
> 
> Update to patched versions:
> ```json
> {
>   "dependencies": {
>     "next": "^15.5.7",
>     "react": "^19.1.2",
>     "react-dom": "^19.1.2"
>   }
> }
> ```
> 
> ### 2. Add Security Headers in `next.config.js`
> 
> Create or update the Next.js configuration:
> 
> ```javascript
> /** @type {import('next').NextConfig} */
> const nextConfig = {
>   async headers() {
>     return [
>       {
>         source: '/:path*',
>         headers: [
>           {
>             key: 'Content-Security-Policy',
>             value: [
>               "default-src 'self'",
>               "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
>               "style-src 'self' 'unsafe-inline'",
>               "img-src 'self' data: https:",
>               "font-src 'self' data:",
>               "connect-src 'self' https:",
>               "frame-ancestors 'none'",
>               "base-uri 'self'",
>               "form-action 'self'"
>             ].join('; ')
>           },
>           {
>             key: 'X-Frame-Options',
>             value: 'DENY'
>           },
>           {
>             key: 'X-Content-Type-Options',
>             value: 'nosniff'
>           },
>           {
>             key: 'Referrer-Policy',
>             value: 'strict-origin-when-cross-origin'
>           },
>           {
>             key: 'Permissions-Policy',
>             value: 'camera=(), microphone=(), geolocation=()'
>           }
>         ]
>       }
>     ]
>   },
>   // Restrict Server Actions to trusted origins
>   experimental: {
>     serverActions: {
>       allowedOrigins: ['electrosage.yourdomain.com'] // Update with your domain
>     }
>   }
> }
> 
> module.exports = nextConfig
> ```
> 
> ### 3. Add Security Middleware in `middleware.ts`
> 
> Create middleware to block suspicious requests:
> 
> ```typescript
> import { NextResponse } from 'next/server'
> import type { NextRequest } from 'next/server'
> 
> export function middleware(request: NextRequest) {
>   // Block suspicious patterns commonly used in RCE attacks
>   const suspiciousPatterns = [
>     /eval\(/i,
>     /exec\(/i,
>     /system\(/i,
>     /wget/i,
>     /curl/i,
>     /bash/i,
>     /sh\s+-c/i,
>     /__proto__/i,
>     /constructor\[/i,
>     /process\.env/i
>   ]
> 
>   const url = request.url.toLowerCase()
>   const body = request.body ? request.body.toString().toLowerCase() : ''
> 
>   for (const pattern of suspiciousPatterns) {
>     if (pattern.test(url) || pattern.test(body)) {
>       console.error(`[SECURITY] Blocked suspicious request: ${request.url}`)
>       return new NextResponse('Forbidden - Suspicious pattern detected', { status: 403 })
>     }
>   }
> 
>   // Block known malicious User-Agents
>   const userAgent = request.headers.get('user-agent') || ''
>   const suspiciousAgents = ['wget', 'curl', 'python-requests', 'go-http-client']
>   
>   if (suspiciousAgents.some(agent => userAgent.toLowerCase().includes(agent))) {
>     console.warn(`[SECURITY] Suspicious User-Agent blocked: ${userAgent}`)
>     return new NextResponse('Forbidden - Suspicious User-Agent', { status: 403 })
>   }
> 
>   // Block the specific attacker IP
>   const clientIp = request.headers.get('x-forwarded-for') || 
>                    request.headers.get('x-real-ip') || 
>                    'unknown'
>   
>   if (clientIp.includes('5.199.174.151')) {
>     console.error(`[SECURITY] Blocked known attacker IP: ${clientIp}`)
>     return new NextResponse('Forbidden', { status: 403 })
>   }
> 
>   return NextResponse.next()
> }
> 
> export const config = {
>   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)']
> }
> ```
> 
> ### 4. Add Comprehensive Security Scanning Workflow
> 
> Create `.github/workflows/security-scan.yml`:
> 
> ```yaml
> name: Security Vulnerability Scan
> 
> on:
>   push:
>     branches: [ main, master ]
>   pull_request:
>     branches: [ main, master ]
>   schedule:
>     # Run daily at 2 AM UTC
>     - cron: '0 2 * * *'
>   workflow_dispatch:
> 
> jobs:
>   npm-audit:
>     name: NPM Security Audit
>     runs-on: ubuntu-latest
>     
>     steps:
>       - name: Checkout code
>         uses: actions/checkout@v4
>         
>       - name: Setup Node.js
>         uses: actions/setup-node@v4
>         with:
>           node-version: '20'
>           cache: 'npm'
>           
>       - name: Install dependencies
>         run: npm ci
>         
>       - name: Run npm audit
>         run: |
>           npm audit --audit-level=high --json > audit-report.json || true
>           cat audit-report.json
>           
>       - name: Check for vulnerabilities
>         run: |
>           VULNS=$(npm audit --audit-level=high --json | jq '.metadata.vulnerabilities.high + .metadata.vulnerabilities.critical')
>           echo "Found $VULNS high/critical vulnerabilities"
>           if [ "$VULNS" -gt 0 ]; then
>             echo "::error::Found $VULNS high or critical vulnerabilities!"
>             exit 1
>           fi
>           
>       - name: Upload audit report
>         if: always()
>         uses: actions/upload-artifact@v4
>         with:
>           name: npm-audit-report
>           path: audit-report.json
>           retention-days: 30
> 
>   cve-check:
>     name: Check for Specific CVEs
>     runs-on: ubuntu-latest
>     
>     steps:
>       - name: Checkout code
>         uses: actions/checkout@v4
>         
>       - name: Setup Node.js
>         uses: actions/setup-node@v4
>         with:
>           node-version: '20'
>           
>       - name: Check Next.js for CVE-2025-66478
>         run: |
>           NEXTJS_VERSION=$(node -p "require('./package.json').dependencies.next" | tr -d '^~')
>           echo "Next.js version: $NEXTJS_VERSION"
>           
>           if [[ "$NEXTJS_VERSION" =~ ^15\. ]]; then
>             MAJOR=$(echo $NEXTJS_VERSION | cut -d. -f1)
>             MINOR=$(echo $NEXTJS_VERSION | cut -d. -f2)
>             PATCH=$(echo $NEXTJS_VERSION | cut -d. -f3)
>             
>             if [ "$MINOR" -lt 5 ] || ([ "$MINOR" -eq 5 ] && [ "$PATCH" -lt 7 ]); then
>               echo "::error::Next.js $NEXTJS_VERSION is vulnerable to CVE-2025-66478. Upgrade to 15.5.7+"
>               exit 1
>             fi
>           fi
>           
>           echo "✅ Next.js version is safe from CVE-2025-66478"
>           
>       - name: Check React for CVE-2025-55182
>         run: |
>           REACT_VERSION=$(node -p "require('./package.json').dependencies.react" | tr -d '^~')
>           echo "React version: $REACT_VERSION"
>           
>           if [[ "$REACT_VERSION" =~ ^19\.0\. ]]; then
>             echo "::error::React $REACT_VERSION is vulnerable to CVE-2025-55182 (React2Shell). Upgrade to 19.2.1+"
>             exit 1
>           elif [[ "$REACT_VERSION" =~ ^19\.1\. ]]; then
>             PATCH=$(echo $REACT_VERSION | cut -d. -f3)
>             if [ "$PATCH" -lt 2 ]; then
>               echo "::error::React $REACT_VERSION is vulnerable to CVE-2025-55182 (React2Shell). Upgrade to 19.1.2+"
>               exit 1
>             fi
>           fi
>           
>           echo "✅ React version is safe from CVE-2025-55182"
> 
>   dependency-review:
>     name: Dependency Review
>     runs-on: ubuntu-latest
>     if: github.event_name == 'pull_request'
>     
>     steps:
>       - name: Checkout code
>         uses: actions/checkout@v4
>         
>       - name: Dependency Review
>         uses: actions/dependency-review-action@v4
>         with:
>           fail-on-severity: high
>           deny-licenses: GPL-3.0, AGPL-3.0
> 
>   CodeQL-Analysis:
>     name: CodeQL Security Analysis
>     runs-on: ubuntu-latest
>     permissions:
>       actions: read
>       contents: read
>       security-events: write
>     
>     steps:
>       - name: Checkout code
>         uses: actions/checkout@v4
>         
>       - name: Initialize CodeQL
>         uses: github/codeql-action/init@v3
>         with:
>           languages: javascript, typescript
>           
>       - name: Perform CodeQL Analysis
>         uses: github/codeql-action/analyze@v3
> ```
> 
> ### 5. Add Auto-Patch Workflow
> 
> Create `.github/workflows/auto-patch-security.yml`:
> 
> ```yaml
> name: Auto-Patch Security Vulnerabilities
> 
> on:
>   schedule:
>     # Run weekly on Monday at 3 AM UTC
>     - cron: '0 3 * * 1'
>   workflow_dispatch:
> 
> permissions:
>   contents: write
>   pull-requests: write
> 
> jobs:
>   auto-patch:
>     name: Create Security Patch PR
>     runs-on: ubuntu-latest
>     
>     steps:
>       - name: Checkout code
>         uses: actions/checkout@v4
>         
>       - name: Setup Node.js
>         uses: actions/setup-node@v4
>         with:
>           node-version: '20'
>           cache: 'npm'
>           
>       - name: Install dependencies
>         run: npm ci
>         
>       - name: Check for vulnerabilities
>         id: audit
>         run: |
>           npm audit --audit-level=moderate --json > audit-before.json || true
>           VULNS=$(jq '.metadata.vulnerabilities.moderate + .metadata.vulnerabilities.high + .metadata.vulnerabilities.critical' audit-before.json)
>           echo "vulnerabilities=$VULNS" >> $GITHUB_OUTPUT
>           
>       - name: Run npm audit fix
>         if: steps.audit.outputs.vulnerabilities > 0
>         run: |
>           npm audit fix
>           npm audit --audit-level=moderate --json > audit-after.json || true
>           
>       - name: Create Pull Request
>         if: steps.audit.outputs.vulnerabilities > 0
>         uses: peter-evans/create-pull-request@v6
>         with:
>           token: ${{ secrets.GITHUB_TOKEN }}
>           commit-message: |
>             🔒 chore(security): Auto-patch npm vulnerabilities
>             
>             - Ran npm audit fix
>             - Fixed ${{ steps.audit.outputs.vulnerabilities }} vulnerabilities
>           branch: security/auto-patch-${{ github.run_number }}
>           delete-branch: true
>           title: '🔒 Security: Auto-patch npm vulnerabilities'
>           body: |
>             ## 🔒 Automated Security Patch
>             
>             ### Summary
>             - Patched **${{ steps.audit.outputs.vulnerabilities }}** vulnerabilities
>             - Ran `npm audit fix`
>             
>             ### Next Steps
>             1. Review changes
>             2. Test locally
>             3. Merge if checks pass
>           labels: |
>             security
>             dependencies
>             automated
> ```
> 
> ### 6. Update Dockerfile with Security Best Practices
> 
> If using Docker, update Dockerfile:
> 
> ```dockerfile
> FROM node:20-alpine AS base
> 
> # Security: Remove unnecessary packages
> RUN apk add --no-cache libc6-compat
> RUN apk del --purge apk-tools bash curl wget
> 
> # Run as non-root
> USER node
> 
> # Security environment variables
> ENV NODE_ENV=production
> ENV NEXT_TELEMETRY_DISABLED=1
> 
> WORKDIR /app
> 
> # ... rest of Dockerfile
> ```
> 
> ### 7. Regenerate Lock File
> 
> After updating package.json:
> ```bash
> npm install
> npm audit
> ```
> 
> ### 8. Verify the Patch
> 
> ```bash
> npm audit --audit-level=high
> npm list next react react-dom
> npm run build
> ```
> 
> ## Success Criteria
> 
> - ✅ Next.js upgraded to 15.5.7+
> - ✅ React upgraded to 19.1.2+
> - ✅ React-DOM upgraded to 19.1.2+
> - ✅ Security headers configured
> - ✅ Security middleware added
> - ✅ npm audit shows 0 high/critical vulnerabilities
> - ✅ Security scanning workflows active
> - ✅ Auto-patch workflow configured
> - ✅ Application builds successfully
> - ✅ All tests pass
> 
> ## Impact
> 
> This repository had **BOTH** critical RCE vulnerabilities. Immediate patching is essential to prevent:
> - Remote code execution
> - Data exfiltration
> - Infrastructure compromise
> - Supply chain attacks
> 
> **CRITICAL**: Deploy immediately after merging!

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs.