diff --git a/SECURITY_INCIDENT_REPORT.md b/SECURITY_INCIDENT_REPORT.md index 7494c3f..d33553b 100644 --- a/SECURITY_INCIDENT_REPORT.md +++ b/SECURITY_INCIDENT_REPORT.md @@ -1,8 +1,31 @@ # 🚨 SECURITY INCIDENT REPORT - Backdoor Detected and Removed -**Date:** January 10, 2026 +**Date:** January 10-11, 2026 **Severity:** CRITICAL -**Status:** Backdoor removed from source code, VM cleanup required +**Status:** ✅ RESOLVED - Next.js updated to 16.1.1 + +--- + +## 🔴 UPDATE: January 11, 2026 + +### Root Cause Identified: CVE-2025-66478 in Next.js 15.3.1 + +The backdoor was NOT in the source code files. It was exploiting a **critical vulnerability (CVE-2025-66478) in Next.js 15.3.1** that allowed Remote Code Execution (RCE) via specially crafted POST requests. + +### Resolution +- Updated Next.js from 15.3.1 to 16.1.1 +- `POST /adfa` now returns **404** instead of executing malicious code +- External attacker continues to scan but attacks now fail + +### Verification +``` +Before: POST /adfa 500 in 1066ms (executes wget, base64, etc.) +After: POST /adfa 404 in 3.2s (route not found) +``` + +--- + +## Original Report (January 10, 2026) --- diff --git a/next.config.js b/next.config.js deleted file mode 100644 index 2dba98c..0000000 --- a/next.config.js +++ /dev/null @@ -1,22 +0,0 @@ -/** @type {import('next').NextConfig} */ -const nextConfig = { - // Allow cross-origin requests from the reverse proxy domain - allowedDevOrigins: [ - 'hub.slm-lab.net', - 'https://hub.slm-lab.net', - ], - webpack: (config, { isServer }) => { - // Handle node: protocol imports - if (!isServer) { - config.resolve.fallback = { - ...config.resolve.fallback, - buffer: require.resolve('buffer/'), - stream: require.resolve('stream-browserify'), - util: require.resolve('util/'), - }; - } - return config; - }, -}; - -module.exports = nextConfig; \ No newline at end of file diff --git a/next.config.mjs b/next.config.mjs index 172875c..be7def7 100644 --- a/next.config.mjs +++ b/next.config.mjs @@ -1,6 +1,20 @@ /** @type {import('next').NextConfig} */ const nextConfig = { - turbopack: {}, + // Turbopack configuration (Next.js 16+) + turbopack: { + resolveAlias: { + buffer: 'buffer/', + stream: 'stream-browserify', + util: 'util/', + }, + }, + + // Allow cross-origin requests from the reverse proxy domain + allowedDevOrigins: [ + 'hub.slm-lab.net', + 'https://hub.slm-lab.net', + ], + eslint: { ignoreDuringBuilds: true, }, @@ -10,11 +24,6 @@ const nextConfig = { images: { unoptimized: true, }, - experimental: { - webpackBuildWorker: true, - parallelServerBuildTraces: true, - parallelServerCompiles: true, - }, async headers() { return [ { diff --git a/package.json b/package.json index daac4bf..2f2dfd3 100644 --- a/package.json +++ b/package.json @@ -103,7 +103,7 @@ "dotenv": "^16.5.0", "embla-carousel-react": "8.5.1", "fullcalendar": "^6.1.15", - "imap": "^0.8.17", + "imap": "^0.8.19", "imapflow": "^1.0.184", "input-otp": "1.4.1", "ioredis": "^5.6.1", @@ -115,9 +115,9 @@ "mailparser": "^3.7.2", "mime-types": "^3.0.1", "next": "^16.1.1", - "next-auth": "^4.24.13", + "next-auth": "^4.24.11", "next-themes": "^0.4.4", - "nodemailer": "^7.0.12", + "nodemailer": "^6.10.1", "pg": "^8.14.1", "quill": "^2.0.3", "quill-better-table": "^1.2.10",