Resolve stash conflicts: keep updated config and package.json

2026-01-11 09:45:45 +01:00 · 2026-01-11 09:45:45 +01:00 · afe06fe426
commit afe06fe426
parent 2d14b6007d
4 changed files with 43 additions and 33 deletions
--- a/SECURITY_INCIDENT_REPORT.md
+++ b/SECURITY_INCIDENT_REPORT.md
@ -1,8 +1,31 @@
 # 🚨 SECURITY INCIDENT REPORT - Backdoor Detected and Removed

-**Date:** January 10, 2026  
+**Date:** January 10-11, 2026  
 **Severity:** CRITICAL  
-**Status:** Backdoor removed from source code, VM cleanup required
+**Status:** ✅ RESOLVED - Next.js updated to 16.1.1
+
+---
+
+## 🔴 UPDATE: January 11, 2026
+
+### Root Cause Identified: CVE-2025-66478 in Next.js 15.3.1
+
+The backdoor was NOT in the source code files. It was exploiting a **critical vulnerability (CVE-2025-66478) in Next.js 15.3.1** that allowed Remote Code Execution (RCE) via specially crafted POST requests.
+
+### Resolution
+- Updated Next.js from 15.3.1 to 16.1.1
+- `POST /adfa` now returns **404** instead of executing malicious code
+- External attacker continues to scan but attacks now fail
+
+### Verification
+```
+Before: POST /adfa 500 in 1066ms (executes wget, base64, etc.)
+After:  POST /adfa 404 in 3.2s (route not found)
+```
+
+---
+
+## Original Report (January 10, 2026)

 ---

--- a/next.config.js
+++ b/next.config.js
@ -1,22 +0,0 @@
-/** @type {import('next').NextConfig} */
-const nextConfig = {
-  // Allow cross-origin requests from the reverse proxy domain
-  allowedDevOrigins: [
-    'hub.slm-lab.net',
-    'https://hub.slm-lab.net',
-  ],
-  webpack: (config, { isServer }) => {
-    // Handle node: protocol imports
-    if (!isServer) {
-      config.resolve.fallback = {
-        ...config.resolve.fallback,
-        buffer: require.resolve('buffer/'),
-        stream: require.resolve('stream-browserify'),
-        util: require.resolve('util/'),
-      };
-    }
-    return config;
-  },
-};
-
-module.exports = nextConfig;
--- a/next.config.mjs
+++ b/next.config.mjs
@ -1,6 +1,20 @@
 /** @type {import('next').NextConfig} */
 const nextConfig = {
-  turbopack: {},
+  // Turbopack configuration (Next.js 16+)
+  turbopack: {
+    resolveAlias: {
+      buffer: 'buffer/',
+      stream: 'stream-browserify',
+      util: 'util/',
+    },
+  },
+  
+  // Allow cross-origin requests from the reverse proxy domain
+  allowedDevOrigins: [
+    'hub.slm-lab.net',
+    'https://hub.slm-lab.net',
+  ],
+  
  eslint: {
    ignoreDuringBuilds: true,
  },
@ -10,11 +24,6 @@ const nextConfig = {
  images: {
    unoptimized: true,
  },
-  experimental: {
-    webpackBuildWorker: true,
-    parallelServerBuildTraces: true,
-    parallelServerCompiles: true,
-  },
  async headers() {
    return [
      {
--- a/package.json
+++ b/package.json
@ -103,7 +103,7 @@
    "dotenv": "^16.5.0",
    "embla-carousel-react": "8.5.1",
    "fullcalendar": "^6.1.15",
-    "imap": "^0.8.17",
+    "imap": "^0.8.19",
    "imapflow": "^1.0.184",
    "input-otp": "1.4.1",
    "ioredis": "^5.6.1",
@ -115,9 +115,9 @@
    "mailparser": "^3.7.2",
    "mime-types": "^3.0.1",
    "next": "^16.1.1",
-    "next-auth": "^4.24.13",
+    "next-auth": "^4.24.11",
    "next-themes": "^0.4.4",
-    "nodemailer": "^7.0.12",
+    "nodemailer": "^6.10.1",
    "pg": "^8.14.1",
    "quill": "^2.0.3",
    "quill-better-table": "^1.2.10",