[GH-ISSUE #2031] React2shell: CVE-2025-66478 and CVE-2025-55182 #3998

New Issue

Closed

opened 2026-04-20 08:22:35 -05:00 by GiteaMirror · 9 comments

GiteaMirror commented 2026-04-20 08:22:35 -05:00

Owner

Copy Link

Originally created by @dzatoah on GitHub (Dec 10, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2031

Describe the Bug

If I'm right, then pangolin:latest docker image is affected by the React2Shell vulnerability, rated with 10/10.
Please upgrade Next.js and React ASAP!

https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
https://react2shell.com/

How to test if your instance is affected:

cve.yaml:

id: cve-2025-55182-react2shell

info:
  name: React2Shell (CVE-2025-55182) Detection
  author: SecurityResearchTeam
  severity: critical
  description: Detects unauthenticated RCE in React Server Components via unsafe deserialization.
  tags: cve,cve2025,react,rce,nextjs

requests:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Next-Action: {{rand_text_alphanumeric(10)}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan
        
        ------WebKitFormBoundaryReactScan
        Content-Disposition: form-data; name="1"
        
        {"then": null}
        ------WebKitFormBoundaryReactScan--

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 500
      - type: word
        part: body
        words:
          - "React Server Components Error"
          - "Minified React error"
          - "digest"
          - "react-server-dom-webpack"

targets.txt:

https://pangolin.example.org

nuclei -l targets.txt -t cve.yaml -debug

Environment

• OS Type & Version: Debian 13
• docker.io/fosrl/pangolin:latest
• docker.io/fosrl/gerbil:latest
• docker.io/traefik:latest

Output of Nuclei of affected machine:

__     _
____  __  _______/ /__  (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.6.0

projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.6.0 (latest)
[INF] Current nuclei-templates version: v10.3.5 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 57
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [cve-2025-55182-react2shell] Dumped HTTP request for https://pangolin.*******.**

POST / HTTP/1.1
Host: pangolin.*******.**
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.3 Safari/605.1.15
Connection: close
Content-Length: 132
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan
Next-Action: UGUgfoXHBR
Accept-Encoding: gzip

------WebKitFormBoundaryReactScan
Content-Disposition: form-data; name="1"

{"then": null}
------WebKitFormBoundaryReactScan--
[DBG] [cve-2025-55182-react2shell] Dumped HTTP response https://pangolin.******.**

HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/x-component
Date: Wed, 10 Dec 2025 12:48:58 GMT
Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
X-Powered-By: Express

0:{"a":"$@1","f":"","b":"TjfB-qJFPon4RUNhdqJX3"}
1:E{"digest":"1664348887"}
[cve-2025-55182-react2shell:status-1] [http] [critical] https://pangolin.*****.**
[cve-2025-55182-react2shell:word-2] [http] [critical] https://pangolin.*****.**
[INF] Scan completed in 599.479665ms. 2 matches found.

Originally created by @dzatoah on GitHub (Dec 10, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2031 ### Describe the Bug If I'm right, then `pangolin:latest `docker image is affected by the React2Shell vulnerability, rated with **10/10**. Please upgrade Next.js and React ASAP! https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp https://react2shell.com/ How to test if your instance is affected: cve.yaml: ```yaml id: cve-2025-55182-react2shell info: name: React2Shell (CVE-2025-55182) Detection author: SecurityResearchTeam severity: critical description: Detects unauthenticated RCE in React Server Components via unsafe deserialization. tags: cve,cve2025,react,rce,nextjs requests: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Next-Action: {{rand_text_alphanumeric(10)}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan ------WebKitFormBoundaryReactScan Content-Disposition: form-data; name="1" {"then": null} ------WebKitFormBoundaryReactScan-- matchers-condition: and matchers: - type: status status: - 500 - type: word part: body words: - "React Server Components Error" - "Minified React error" - "digest" - "react-server-dom-webpack" ``` targets.txt: ``` https://pangolin.example.org ``` `nuclei -l targets.txt -t cve.yaml -debug` ### Environment - OS Type & Version: Debian 13 - docker.io/fosrl/pangolin:latest - docker.io/fosrl/gerbil:latest - docker.io/traefik:latest ### Output of Nuclei of affected machine: ``` __ _ ____ __ _______/ /__ (_) / __ \/ / / / ___/ / _ \/ / / / / / /_/ / /__/ / __/ / /_/ /_/\__,_/\___/_/\___/_/ v3.6.0 projectdiscovery.io [WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support. [INF] Current nuclei version: v3.6.0 (latest) [INF] Current nuclei-templates version: v10.3.5 (latest) [WRN] Scan results upload to cloud is disabled. [INF] New templates added in latest release: 57 [INF] Templates loaded for current scan: 1 [WRN] Loading 1 unsigned templates for scan. Use with caution. [INF] Targets loaded for current scan: 1 [INF] [cve-2025-55182-react2shell] Dumped HTTP request for https://pangolin.*******.** POST / HTTP/1.1 Host: pangolin.*******.** User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.6.3 Safari/605.1.15 Connection: close Content-Length: 132 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan Next-Action: UGUgfoXHBR Accept-Encoding: gzip ------WebKitFormBoundaryReactScan Content-Disposition: form-data; name="1" {"then": null} ------WebKitFormBoundaryReactScan-- [DBG] [cve-2025-55182-react2shell] Dumped HTTP response https://pangolin.******.** HTTP/1.1 500 Internal Server Error Connection: close Transfer-Encoding: chunked Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: text/x-component Date: Wed, 10 Dec 2025 12:48:58 GMT Vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding X-Powered-By: Express 0:{"a":"$@1","f":"","b":"TjfB-qJFPon4RUNhdqJX3"} 1:E{"digest":"1664348887"} [cve-2025-55182-react2shell:status-1] [http] [critical] https://pangolin.*****.** [cve-2025-55182-react2shell:word-2] [http] [critical] https://pangolin.*****.** [INF] Scan completed in 599.479665ms. 2 matches found. ```

GiteaMirror closed this issue 2026-04-20 08:22:35 -05:00

GiteaMirror commented 2026-04-20 08:22:36 -05:00

Author

Owner

Copy Link

@c4sti3l commented on GitHub (Dec 10, 2025):

Yes I also got an email from my provider Hetzner:

eine hochkritische Schwachstelle in React Server Components (CVE-2025-55182) betrifft auch Next.js (CVE-2025-66478) und andere weit verbreitete Frameworks, die häufig bei Webanwendungen zum Einsatz kommen. Die Schwachstelle ermöglicht entfernten Angreifenden ohne Authentifizierung beliebigen Programmcode auszuführen.

And on the related cloud server i only run pangolin, so i think this should be fixed as fast as possible

<!-- gh-comment-id:3637014244 --> @c4sti3l commented on GitHub (Dec 10, 2025): Yes I also got an email from my provider Hetzner: ` eine hochkritische Schwachstelle in React Server Components (CVE-2025-55182) betrifft auch Next.js (CVE-2025-66478) und andere weit verbreitete Frameworks, die häufig bei Webanwendungen zum Einsatz kommen. Die Schwachstelle ermöglicht entfernten Angreifenden ohne Authentifizierung beliebigen Programmcode auszuführen.` And on the related cloud server i only run pangolin, so i think this should be fixed as fast as possible

GiteaMirror commented 2026-04-20 08:22:37 -05:00

Author

Owner

Copy Link

@Kh3nsu commented on GitHub (Dec 10, 2025):

Can confirm, I also just got the message from BSI. As far as I can see 1.12.3 is already addressing the CVE-2025-55182.

"Update Next to 15.5.7 ref: https://github.com/advisories/GHSA-fv66-9v8q-g76r"

Isn't CVE-2025-66478 already fixed then too? According to the BSI the CVE-2025-66478 was the Next.js vulnerability.
CVE-2025-55182 is the React vulnerability. As Next.js is building on top of React Server Components. Basically the same vulnerability but different CVEs for each of them.

According to this information, the latest update 1.12.3 already addressed "both" issues. Just update.

<!-- gh-comment-id:3637027637 --> @Kh3nsu commented on GitHub (Dec 10, 2025): Can confirm, I also just got the message from BSI. As far as I can see 1.12.3 is already addressing the CVE-2025-55182. "Update Next to 15.5.7 ref: https://github.com/advisories/GHSA-fv66-9v8q-g76r" Isn't CVE-2025-66478 already fixed then too? According to the BSI the CVE-2025-66478 was the Next.js vulnerability. CVE-2025-55182 is the React vulnerability. As Next.js is building on top of React Server Components. Basically the same vulnerability but different CVEs for each of them. According to this information, the latest update 1.12.3 already addressed "both" issues. Just update.

GiteaMirror commented 2026-04-20 08:22:38 -05:00

Author

Owner

Copy Link

@nlsrchtr commented on GitHub (Dec 10, 2025):

Hi @dzatoah,

I just updated my installation to latest and got version 1.12.3 installed and the release notes include, that the next.js version was updated.

After that, I was using this scanner to check the vulnerability got closed and this was successful.

So maybe you would need to check if you are really pulling the latest tag?

I hope this helps to mitigate this CVE for you asap.

<!-- gh-comment-id:3637225167 --> @nlsrchtr commented on GitHub (Dec 10, 2025): Hi @dzatoah, I just updated my installation to `latest` and got version `1.12.3` installed and the [release notes](https://github.com/fosrl/pangolin/releases/tag/1.12.3) include, that the next.js version was updated. After that, I was using [this scanner](https://github.com/assetnote/react2shell-scanner) to check the vulnerability got closed and this was successful. So maybe you would need to check if you are really pulling the latest tag? I hope this helps to mitigate this CVE for you asap.

GiteaMirror commented 2026-04-20 08:22:39 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Dec 10, 2025):

Yes please check if you are pulling the latest tag! We updated next in 1.12.3. If not please reopen.

<!-- gh-comment-id:3637551695 --> @oschwartz10612 commented on GitHub (Dec 10, 2025): Yes please check if you are pulling the latest tag! We updated next in 1.12.3. If not please reopen.

GiteaMirror commented 2026-04-20 08:22:40 -05:00

Author

Owner

Copy Link

@dzatoah commented on GitHub (Dec 10, 2025):

The scanner does show a false negative to me, at least.

python3 scanner.py -u https://<domain>/ --safe-check --waf-bypass -H "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) "

brought to you by assetnote

[*] Loaded 1 host(s) to scan
[*] Using 10 thread(s)
[*] Timeout: 20s
[*] Using safe side-channel check
[*] WAF bypass enabled (128KB junk data)
[!] SSL verification disabled

[NOT VULNERABLE] https://<domain>/ - Status: 404

============================================================
SCAN SUMMARY
============================================================
Total hosts scanned: 1
Vulnerable: 0
Not vulnerable: 1
Errors: 0
============================================================
(react2shell-scanner)

I triple checked the version number in Pangolin is v1.12.3 (latest docker tag as said above).
Is there another dependency involved, maybe?

Please check for your own instance, if the same response is printed.

curl -X POST http://<domain>/ \
-H "Host: <domain>" \
-H "Next-Action: a1b2c3d4e5" \
-H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan" \
--data-binary $'------WebKitFormBoundaryReactScan\r\nContent-Disposition: form-data; name="1"\r\n\r\n{"then": null}\r\n------WebKitFormBoundaryReactScan--\r\n' -vL

Note: Unnecessary use of -X or --request, POST is already inferred.
* Host <domain>:80 was resolved.
* IPv6: <...>
* IPv4: <...>
*   Trying [<ipv6>]:80...
* Connected to <domain> (<ipv6>) port 80
* using HTTP/1.x
> POST / HTTP/1.1
> Host: <domain>
> User-Agent: curl/8.14.1
> Accept: */*
> Next-Action: a1b2c3d4e5
> Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan
> Content-Length: 132
>
* upload completely sent off: 132 bytes
< HTTP/1.1 307 Temporary Redirect
* Need to rewind upload for next request
< Location: https://<domain>/
< Date: Wed, 10 Dec 2025 20:13:39 GMT
< Content-Length: 18
* Ignoring the response-body
* setting size while ignoring
<
* Connection #0 to host <domain> left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://<domain>/'
* Host <domain>:443 was resolved.
* IPv6: <ipv6>
* IPv4: <ipv4>
*   Trying [<ipv6>]:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519MLKEM768 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=<domain>
*  start date: Nov 23 13:09:27 2025 GMT
*  expire date: Feb 21 13:09:26 2026 GMT
*  subjectAltName: host "<domain>" matched cert's "<domain>"
*  issuer: C=US; O=Let's Encrypt; CN=R12
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to <domain> (<ipv6>) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://<domain>/
* [HTTP/2] [1] [:method: POST]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: <domain>]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.14.1]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [next-action: a1b2c3d4e5]
* [HTTP/2] [1] [content-type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan]
* [HTTP/2] [1] [content-length: 132]
> POST / HTTP/2
> Host: <domain>
> User-Agent: curl/8.14.1
> Accept: */*
> Next-Action: a1b2c3d4e5
> Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan
> Content-Length: 132
>
* upload completely sent off: 132 bytes
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 500
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< content-type: text/x-component
< date: Wed, 10 Dec 2025 20:13:39 GMT
< vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding
< x-powered-by: Express
<
0:{"a":"$@1","f":"","b":"TjfB-qJFPon4RUNhdqJX3"}
1:E{"digest":"1664348887"}
* Connection #1 to host <domain> left intact

What makes it even weirder:
docker exec fc4f17af28cc npm list next

@fosrl/pangolin@0.0.0 /app
+-- next-intl@4.5.8
| `-- next@15.5.7 deduped
+-- next@15.5.7
`-- nextjs-toploader@3.9.17
`-- next@15.5.7 deduped

I do not have sufficient permissions to reopen the issue.

<!-- gh-comment-id:3638808737 --> @dzatoah commented on GitHub (Dec 10, 2025): The scanner does show a false negative to me, at least. ``` python3 scanner.py -u https://<domain>/ --safe-check --waf-bypass -H "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) " brought to you by assetnote [*] Loaded 1 host(s) to scan [*] Using 10 thread(s) [*] Timeout: 20s [*] Using safe side-channel check [*] WAF bypass enabled (128KB junk data) [!] SSL verification disabled [NOT VULNERABLE] https://<domain>/ - Status: 404 ============================================================ SCAN SUMMARY ============================================================ Total hosts scanned: 1 Vulnerable: 0 Not vulnerable: 1 Errors: 0 ============================================================ (react2shell-scanner) ``` I triple checked the version number in Pangolin is v1.12.3 (latest docker tag as said above). Is there another dependency involved, maybe? Please check for your own instance, if the same response is printed. ``` curl -X POST http://<domain>/ \ -H "Host: <domain>" \ -H "Next-Action: a1b2c3d4e5" \ -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan" \ --data-binary $'------WebKitFormBoundaryReactScan\r\nContent-Disposition: form-data; name="1"\r\n\r\n{"then": null}\r\n------WebKitFormBoundaryReactScan--\r\n' -vL ``` ``` Note: Unnecessary use of -X or --request, POST is already inferred. * Host <domain>:80 was resolved. * IPv6: <...> * IPv4: <...> * Trying [<ipv6>]:80... * Connected to <domain> (<ipv6>) port 80 * using HTTP/1.x > POST / HTTP/1.1 > Host: <domain> > User-Agent: curl/8.14.1 > Accept: */* > Next-Action: a1b2c3d4e5 > Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan > Content-Length: 132 > * upload completely sent off: 132 bytes < HTTP/1.1 307 Temporary Redirect * Need to rewind upload for next request < Location: https://<domain>/ < Date: Wed, 10 Dec 2025 20:13:39 GMT < Content-Length: 18 * Ignoring the response-body * setting size while ignoring < * Connection #0 to host <domain> left intact * Clear auth, redirects to port from 80 to 443 * Issue another request to this URL: 'https://<domain>/' * Host <domain>:443 was resolved. * IPv6: <ipv6> * IPv4: <ipv4> * Trying [<ipv6>]:443... * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519MLKEM768 / RSASSA-PSS * ALPN: server accepted h2 * Server certificate: * subject: CN=<domain> * start date: Nov 23 13:09:27 2025 GMT * expire date: Feb 21 13:09:26 2026 GMT * subjectAltName: host "<domain>" matched cert's "<domain>" * issuer: C=US; O=Let's Encrypt; CN=R12 * SSL certificate verify ok. * Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption * Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption * Connected to <domain> (<ipv6>) port 443 * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://<domain>/ * [HTTP/2] [1] [:method: POST] * [HTTP/2] [1] [:scheme: https] * [HTTP/2] [1] [:authority: <domain>] * [HTTP/2] [1] [:path: /] * [HTTP/2] [1] [user-agent: curl/8.14.1] * [HTTP/2] [1] [accept: */*] * [HTTP/2] [1] [next-action: a1b2c3d4e5] * [HTTP/2] [1] [content-type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan] * [HTTP/2] [1] [content-length: 132] > POST / HTTP/2 > Host: <domain> > User-Agent: curl/8.14.1 > Accept: */* > Next-Action: a1b2c3d4e5 > Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryReactScan > Content-Length: 132 > * upload completely sent off: 132 bytes * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): < HTTP/2 500 < cache-control: no-cache, no-store, max-age=0, must-revalidate < content-type: text/x-component < date: Wed, 10 Dec 2025 20:13:39 GMT < vary: rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding < x-powered-by: Express < 0:{"a":"$@1","f":"","b":"TjfB-qJFPon4RUNhdqJX3"} 1:E{"digest":"1664348887"} * Connection #1 to host <domain> left intact ``` What makes it even weirder: `docker exec fc4f17af28cc npm list next` ``` @fosrl/pangolin@0.0.0 /app +-- next-intl@4.5.8 | `-- next@15.5.7 deduped +-- next@15.5.7 `-- nextjs-toploader@3.9.17 `-- next@15.5.7 deduped ``` I do not have sufficient permissions to reopen the issue.

GiteaMirror commented 2026-04-20 08:22:41 -05:00

Author

Owner

Copy Link

@dzatoah commented on GitHub (Dec 10, 2025):

docker image with latest tag:

$ docker exec fc4f17af28cc npm list | grep react@19
+-- @types/react@19.2.2
+-- react@19.2.0

Please update package.json ASAP with fixed version 19.2.1:
6e6fa77625/package.json (L110)

EDIT: Ah I saw you already update to 19.2.1 in latest master, but the release has yet to be made ;)

Thank you in advance!

<!-- gh-comment-id:3638868119 --> @dzatoah commented on GitHub (Dec 10, 2025): docker image with latest tag: ``` $ docker exec fc4f17af28cc npm list | grep react@19 +-- @types/react@19.2.2 +-- react@19.2.0 ``` Please update package.json ASAP with fixed version 19.2.1: https://github.com/fosrl/pangolin/blob/6e6fa77625a458c217466bf7521df0ef81a004a2/package.json#L110 EDIT: Ah I saw you already update to `19.2.1` in latest master, but the release has yet to be made ;) Thank you in advance!

GiteaMirror commented 2026-04-20 08:22:41 -05:00

Author

Owner

Copy Link

@auqust commented on GitHub (Dec 10, 2025):

I checked out the latest release tag (1.12.3), ran npm install, and immediately received a concerning warning:

npm warn deprecated next@15.5.2: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details.

At first, this was confusing because the main Next.js dependency was correctly updated to "next": "15.5.7" in commit 10a00ff. This suggested that a transitive dependency must be pulling in the vulnerable version.

Running npm list next confirmed the issue:

@fosrl/pangolin@0.0.0
├─┬ @react-email/preview-server@4.3.2
│ └── next@15.5.2
├─┬ next-intl@4.5.8
│ └── next@15.5.7 deduped
├── next@15.5.7
└─┬ nextjs-toploader@3.9.17
  └── next@15.5.7 deduped

As shown above, @react-email/preview-server@4.3.2 (a dev dependency) depends on next@15.5.2, which is vulnerable to the react2shell CVE.

While this is only a dev dependency and doesn't affect production builds, it's still worth addressing for contributor security. I noticed that the current main branch has this resolved in commit 74dd3fd. Would it make sense to cut a new release or update the dev dependencies?

<!-- gh-comment-id:3639078620 --> @auqust commented on GitHub (Dec 10, 2025): I checked out the latest release tag (1.12.3), ran `npm install`, and immediately received a concerning warning: ``` npm warn deprecated next@15.5.2: This version has a security vulnerability. Please upgrade to a patched version. See https://nextjs.org/blog/CVE-2025-66478 for more details. ``` At first, this was confusing because the main Next.js dependency was correctly updated to `"next": "15.5.7"` in commit 10a00ff. This suggested that a transitive dependency must be pulling in the vulnerable version. Running `npm list next` confirmed the issue: ``` @fosrl/pangolin@0.0.0 ├─┬ @react-email/preview-server@4.3.2 │ └── next@15.5.2 ├─┬ next-intl@4.5.8 │ └── next@15.5.7 deduped ├── next@15.5.7 └─┬ nextjs-toploader@3.9.17 └── next@15.5.7 deduped ``` As shown above, `@react-email/preview-server@4.3.2` (a dev dependency) depends on `next@15.5.2`, which is vulnerable to the react2shell CVE. While this is only a dev dependency and doesn't affect production builds, it's still worth addressing for contributor security. I noticed that the current `main` branch has this resolved in commit 74dd3fd. Would it make sense to cut a new release or update the dev dependencies?

GiteaMirror commented 2026-04-20 08:22:42 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Dec 11, 2025):

The @react-email/preview-server package provides a live development
server for instantly previewing your email templates built with the
React Email library directly in the browser. This is used for
development only and is installed in devDependencies and should not
effect 1.12.3.

That said it was removed in the latest package json and react is updated
to 19.2.1 for the 1.13.0 release which will go out today.

<!-- gh-comment-id:3642625491 --> @oschwartz10612 commented on GitHub (Dec 11, 2025): The @react-email/preview-server package provides a live development server for instantly previewing your email templates built with the React Email library directly in the browser. This is used for development only and is installed in devDependencies and should not effect 1.12.3. That said it was removed in the latest package json and react is updated to 19.2.1 for the 1.13.0 release which will go out today.

GiteaMirror commented 2026-04-20 08:22:42 -05:00

Author

Owner

Copy Link

@tuuuni0scouts commented on GitHub (Dec 17, 2025):

The @react-email/preview-server package provides a live development
server for instantly previewing your email templates built with the
React Email library directly in the browser. This is used for
development only and is installed in devDependencies and should not
effect 1.12.3.

That said it was removed in the latest package json and react is updated
to 19.2.1 for the 1.13.0 release which will go out today.

wen i have patched is there anithing i shoud check that i did not get compromised

<!-- gh-comment-id:3664386234 --> @tuuuni0scouts commented on GitHub (Dec 17, 2025): > The @react-email/preview-server package provides a live development > server for instantly previewing your email templates built with the > React Email library directly in the browser. This is used for > development only and is installed in devDependencies and should not > effect 1.12.3. > > That said it was removed in the latest package json and react is updated > to 19.2.1 for the 1.13.0 release which will go out today. wen i have patched is there anithing i shoud check that i did not get compromised

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#3998