alma/NeahStable
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Resolve stash conflicts: keep updated config and package.json

Browse Source
This commit is contained in:
alma 2026-01-11 09:45:45 +01:00
parent 2d14b6007d
commit afe06fe426
4 changed files with 43 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
SECURITY_INCIDENT_REPORT.md
View File

@ -1,8 +1,31 @@
# 🚨 SECURITY INCIDENT REPORT - Backdoor Detected and Removed # 🚨 SECURITY INCIDENT REPORT - Backdoor Detected and Removed
**Date:** January 10, 2026 **Date:** January 10-11, 2026
**Severity:** CRITICAL **Severity:** CRITICAL
**Status:** Backdoor removed from source code, VM cleanup required **Status:** ✅ RESOLVED - Next.js updated to 16.1.1
---
## 🔴 UPDATE: January 11, 2026
### Root Cause Identified: CVE-2025-66478 in Next.js 15.3.1
The backdoor was NOT in the source code files. It was exploiting a **critical vulnerability (CVE-2025-66478) in Next.js 15.3.1** that allowed Remote Code Execution (RCE) via specially crafted POST requests.
### Resolution
- Updated Next.js from 15.3.1 to 16.1.1
- `POST /adfa` now returns **404** instead of executing malicious code
- External attacker continues to scan but attacks now fail
### Verification
```
Before: POST /adfa 500 in 1066ms (executes wget, base64, etc.)
After: POST /adfa 404 in 3.2s (route not found)
```
---
## Original Report (January 10, 2026)
--- ---

22
next.config.js
View File

@ -1,22 +0,0 @@
/** @type {import('next').NextConfig} */
const nextConfig = {
// Allow cross-origin requests from the reverse proxy domain
allowedDevOrigins: [
'hub.slm-lab.net',
'https://hub.slm-lab.net',
],
webpack: (config, { isServer }) => {
// Handle node: protocol imports
if (!isServer) {
config.resolve.fallback = {
...config.resolve.fallback,
buffer: require.resolve('buffer/'),
stream: require.resolve('stream-browserify'),
util: require.resolve('util/'),
};
}
return config;
},
};
module.exports = nextConfig;

21
next.config.mjs
View File

@ -1,6 +1,20 @@
/** @type {import('next').NextConfig} */ /** @type {import('next').NextConfig} */
const nextConfig = { const nextConfig = {
turbopack: {}, // Turbopack configuration (Next.js 16+)
turbopack: {
resolveAlias: {
buffer: 'buffer/',
stream: 'stream-browserify',
util: 'util/',
},
},
// Allow cross-origin requests from the reverse proxy domain
allowedDevOrigins: [
'hub.slm-lab.net',
'https://hub.slm-lab.net',
],
eslint: { eslint: {
ignoreDuringBuilds: true, ignoreDuringBuilds: true,
}, },
@ -10,11 +24,6 @@ const nextConfig = {
images: { images: {
unoptimized: true, unoptimized: true,
}, },
experimental: {
webpackBuildWorker: true,
parallelServerBuildTraces: true,
parallelServerCompiles: true,
},
async headers() { async headers() {
return [ return [
{ {

6
package.json
View File

@ -103,7 +103,7 @@
"dotenv": "^16.5.0", "dotenv": "^16.5.0",
"embla-carousel-react": "8.5.1", "embla-carousel-react": "8.5.1",
"fullcalendar": "^6.1.15", "fullcalendar": "^6.1.15",
"imap": "^0.8.17", "imap": "^0.8.19",
"imapflow": "^1.0.184", "imapflow": "^1.0.184",
"input-otp": "1.4.1", "input-otp": "1.4.1",
"ioredis": "^5.6.1", "ioredis": "^5.6.1",
@ -115,9 +115,9 @@
"mailparser": "^3.7.2", "mailparser": "^3.7.2",
"mime-types": "^3.0.1", "mime-types": "^3.0.1",
"next": "^16.1.1", "next": "^16.1.1",
"next-auth": "^4.24.13", "next-auth": "^4.24.11",
"next-themes": "^0.4.4", "next-themes": "^0.4.4",
"nodemailer": "^7.0.12", "nodemailer": "^6.10.1",
"pg": "^8.14.1", "pg": "^8.14.1",
"quill": "^2.0.3", "quill": "^2.0.3",
"quill-better-table": "^1.2.10", "quill-better-table": "^1.2.10",