Skip to content

Security: thisyearnofear/Carolers

Security

SECURITY.md

🚨 Security Advisory: React2Shell Vulnerability (CVE-2025-55182)

Current Status: βœ… PATCHED - UPGRADE COMPLETED

Current Version: Next.js 16.1.0 βœ… React Version: 18.3.1 Vulnerability: CVE-2025-55182 (React2Shell) - PATCHED Severity: CRITICAL - Remote Code Execution (Now Mitigated) Upgrade Date: December 19, 2025

Immediate Mitigations Applied

1. Security Headers

  • Added X-React2Shell-Protection header
  • Strict Content-Security-Policy
  • XSS and clickjacking protection

2. Middleware Protection

  • Blocking suspicious RSC-related paths (__rsc, server-components, etc.)
  • Content-Type validation for POST requests
  • Request logging for suspicious activity

3. Configuration Changes

  • Disabled server actions in production
  • Enhanced webpack configuration for security

Required Actions

βœ… COMPLETED: Upgrade Successful

Upgrade Summary:

  • βœ… Next.js: 15.0.3 β†’ 16.1.0
  • βœ… React: 18.3.1 (already patched)
  • βœ… React DOM: 18.3.1 (already patched)

Changes Made:

  • Updated images.domains β†’ images.remotePatterns (Next.js 16 requirement)
  • Fixed webpack configuration for Turbopack compatibility
  • Maintained all security headers and protections
  • Updated TypeScript configuration

Verification:

# Verify installed versions
npm list next react react-dom --depth=0

# Test build
npm run build

⚠️ RECOMMENDED: Rotate Secrets (If Exposed)

If your application was online after December 4, 2025, 1:00 PM PT:

  1. Database credentials - Rotate immediately
  2. API keys - Regenerate all keys
  3. Authentication secrets - Update Clerk and other auth providers
  4. Environment variables - Change all sensitive values

βœ… ACTIVE: Vercel Protection

  1. βœ… Security Headers: Active in next.config.ts
  2. βœ… Middleware Protection: Active in middleware.ts
  3. βœ… Webpack Security: Node.js module isolation
  4. ⚠️ Vercel WAF: Enable in Vercel dashboard

πŸ”΄ Rotate All Secrets

If your application was online after December 4, 2025, 1:00 PM PT:

  1. Database credentials - Rotate immediately
  2. API keys - Regenerate all keys
  3. Authentication secrets - Update Clerk and other auth providers
  4. Environment variables - Change all sensitive values

πŸ”΄ Enable Vercel Protection

  1. Turn on Standard Protection for all deployments
  2. Audit all shareable links
  3. Enable Vercel WAF rules

πŸ›‘οΈ Current Protection Status

βœ… FULLY PATCHED - React2Shell Mitigated

Protection Layer Status Notes
Next.js Version βœ… 16.1.0 (PATCHED) React2Shell vulnerability fixed
Server Actions βœ… Disabled in production Prevents main exploit vector
Security Headers βœ… Active Blocks known attack patterns
Middleware βœ… Active Filters suspicious requests
Webpack Config βœ… Active Prevents dangerous bundling
Database Security βœ… Active Server-side enforcement
React Version βœ… 18.3.1 (Safe) No known vulnerabilities

Monitoring

Suspicious Activity Indicators

  • Requests to paths containing:

    • __rsc
    • server-components
    • react-server
    • rsc-payload

  • Unusual POST requests with non-JSON content types

  • Multiple failed requests to API endpoints

Log Monitoring

Check your logs for:

Blocked suspicious RSC request:

Additional Resources

Timeline

  • December 4, 2025: Vulnerability publicly disclosed
  • December 5, 2025: Vercel released automated patching tool
  • December 6, 2025: Secret rotation recommended for exposed apps
  • December 8, 2025: Vercel Agent automated upgrades available

Contact

For security incidents, contact:

DO NOT discuss vulnerability details in public channels.

There aren’t any published security advisories