Summary
internal/site currently uses Next.js 15.4.8, which is affected by three high-severity CVEs:
| CVE |
Severity |
Type |
Fixed In |
| CVE-2025-55184 |
High (7.5) |
React Server Components DoS — infinite loop via deserialization |
15.4.10 / 16.1.7 |
| CVE-2025-67779 |
High (7.5) |
RSC DoS — incomplete fix for CVE-2025-55184 |
15.4.10 / 16.1.7 |
| CVE-2026-27980 |
High (7.5) |
Image optimization DoS — unbounded disk cache growth |
16.1.7 only |
Details
A crafted HTTP request to any App Router endpoint can trigger an infinite loop during RSC deserialization, hanging the server process and preventing it from serving future requests. CVE-2025-67779 is the complete fix after the initial CVE-2025-55184 patch was found to be incomplete.
The default /_next/image optimization endpoint writes cached variants to .next/cache/images/ with no upper bound or eviction policy. An attacker can exhaust disk space by requesting many unique width/quality combinations, causing denial of service.
- Advisory: GHSA-3x4c-7xq6-9pq8
- Fix introduces LRU disk cache with
images.maximumDiskCacheSize config.
Proposed Fix
Option A (minimal, addresses 2 of 3 CVEs):
Upgrade Next.js from 15.4.8 → 15.4.10 to fix CVE-2025-55184 and CVE-2025-67779. CVE-2026-27980 remains open (fix only in 16.1.7+).
Option B (complete, addresses all 3 CVEs):
Upgrade Next.js from 15.4.8 → 16.1.7 (or latest 16.x). This is a major version bump and may require migration work. An existing Dependabot PR exists (#216) but targets 16.1.5, which is still vulnerable to CVE-2026-27980 — it should be updated to 16.1.7+.
Existing PR
References
Summary
internal/sitecurrently uses Next.js 15.4.8, which is affected by three high-severity CVEs:Details
CVE-2025-55184 / CVE-2025-67779
A crafted HTTP request to any App Router endpoint can trigger an infinite loop during RSC deserialization, hanging the server process and preventing it from serving future requests. CVE-2025-67779 is the complete fix after the initial CVE-2025-55184 patch was found to be incomplete.
CVE-2026-27980
The default
/_next/imageoptimization endpoint writes cached variants to.next/cache/images/with no upper bound or eviction policy. An attacker can exhaust disk space by requesting many unique width/quality combinations, causing denial of service.images.maximumDiskCacheSizeconfig.Proposed Fix
Option A (minimal, addresses 2 of 3 CVEs):
Upgrade Next.js from 15.4.8 → 15.4.10 to fix CVE-2025-55184 and CVE-2025-67779. CVE-2026-27980 remains open (fix only in 16.1.7+).
Option B (complete, addresses all 3 CVEs):
Upgrade Next.js from 15.4.8 → 16.1.7 (or latest 16.x). This is a major version bump and may require migration work. An existing Dependabot PR exists (#216) but targets 16.1.5, which is still vulnerable to CVE-2026-27980 — it should be updated to 16.1.7+.
Existing PR
References