## Summary `internal/site` currently uses Next.js **15.4.8**, which is affected by three high-severity CVEs: | CVE | Severity | Type | Fixed In | |-----|----------|------|----------| | CVE-2025-55184 | High (7.5) | React Server Components DoS — infinite loop via deserialization | 15.4.10 / 16.1.7 | | CVE-2025-67779 | High (7.5) | RSC DoS — incomplete fix for CVE-2025-55184 | 15.4.10 / 16.1.7 | | CVE-2026-27980 | High (7.5) | Image optimization DoS — unbounded disk cache growth | 16.1.7 only | ## Details ### CVE-2025-55184 / CVE-2025-67779 A crafted HTTP request to any App Router endpoint can trigger an infinite loop during RSC deserialization, hanging the server process and preventing it from serving future requests. CVE-2025-67779 is the complete fix after the initial CVE-2025-55184 patch was found to be incomplete. - Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx - Next.js blog: https://nextjs.org/blog/security-update-2025-12-11 ### CVE-2026-27980 The default `/_next/image` optimization endpoint writes cached variants to `.next/cache/images/` with no upper bound or eviction policy. An attacker can exhaust disk space by requesting many unique width/quality combinations, causing denial of service. - Advisory: https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8 - Fix introduces LRU disk cache with `images.maximumDiskCacheSize` config. ## Proposed Fix **Option A (minimal, addresses 2 of 3 CVEs):** Upgrade Next.js from 15.4.8 → **15.4.10** to fix CVE-2025-55184 and CVE-2025-67779. CVE-2026-27980 remains open (fix only in 16.1.7+). **Option B (complete, addresses all 3 CVEs):** Upgrade Next.js from 15.4.8 → **16.1.7** (or latest 16.x). This is a major version bump and may require migration work. An existing Dependabot PR exists (#216) but targets 16.1.5, which is still vulnerable to CVE-2026-27980 — it should be updated to 16.1.7+. ## Existing PR - #216 — Dependabot PR bumping to 16.1.5 (insufficient, needs rebase to 16.1.7+) ## References - https://nvd.nist.gov/vuln/detail/CVE-2025-55184 - https://nvd.nist.gov/vuln/detail/CVE-2025-67779 - https://nvd.nist.gov/vuln/detail/CVE-2026-27980 - https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components