security: Upgrade Next.js to fix CVE-2025-55184, CVE-2025-67779, and CVE-2026-27980 #299
Description
Summary
internal/site currently uses Next.js 15.4.8, which is affected by three high-severity CVEs:
| CVE | Severity | Type | Fixed In |
|---|---|---|---|
| CVE-2025-55184 | High (7.5) | React Server Components DoS — infinite loop via deserialization | 15.4.10 / 16.1.7 |
| CVE-2025-67779 | High (7.5) | RSC DoS — incomplete fix for CVE-2025-55184 | 15.4.10 / 16.1.7 |
| CVE-2026-27980 | High (7.5) | Image optimization DoS — unbounded disk cache growth | 16.1.7 only |
Details
CVE-2025-55184 / CVE-2025-67779
A crafted HTTP request to any App Router endpoint can trigger an infinite loop during RSC deserialization, hanging the server process and preventing it from serving future requests. CVE-2025-67779 is the complete fix after the initial CVE-2025-55184 patch was found to be incomplete.
- Advisory: GHSA-mq59-m269-xvcx
- Next.js blog: https://nextjs.org/blog/security-update-2025-12-11
CVE-2026-27980
The default /_next/image optimization endpoint writes cached variants to .next/cache/images/ with no upper bound or eviction policy. An attacker can exhaust disk space by requesting many unique width/quality combinations, causing denial of service.
- Advisory: GHSA-3x4c-7xq6-9pq8
- Fix introduces LRU disk cache with
images.maximumDiskCacheSizeconfig.
Proposed Fix
Option A (minimal, addresses 2 of 3 CVEs):
Upgrade Next.js from 15.4.8 → 15.4.10 to fix CVE-2025-55184 and CVE-2025-67779. CVE-2026-27980 remains open (fix only in 16.1.7+).
Option B (complete, addresses all 3 CVEs):
Upgrade Next.js from 15.4.8 → 16.1.7 (or latest 16.x). This is a major version bump and may require migration work. An existing Dependabot PR exists (#216) but targets 16.1.5, which is still vulnerable to CVE-2026-27980 — it should be updated to 16.1.7+.
Existing PR
- chore(deps-dev): bump next from 15.4.8 to 16.1.5 in /internal/site #216 — Dependabot PR bumping to 16.1.5 (insufficient, needs rebase to 16.1.7+)