Mitigate CVE-2025-55182 (React2Shell)

[c0ball]

I noticed that the currently available Docker image in the GitHub registry uses Next.js version 15.5.4, which is affected by the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0).

Since I'm not sure to what extent this affects Cap, I wanted to ask if someone could take a look at this, update the Next.js version to 15.5.9 and publish new Docker images.

Thank you in advance for looking into this!

[linear]

CAP-575

[abhilov23]

hey, I would like to work on this issue.

[mikejpeters]

I had a self-hosted instance where access tokens were recently exposed, and I have to assume it's because of this vulnerability. Worried to see no update

[c0ball]

Yeah, that doesn't seem to interest them very much. That's worrying, considering that they also offer CAP as a paid service. I would be unsure whether my data would be safe there.

[colinmollenhour]

Also the docker container ghcr.io/capsoftware/cap-web has not been updated for 2 months..

[c0ball]

Even though version 0.4.0 was released to address CVE-2025-66478, there are still three additional CVEs that have not yet been mitigated. I’ve opened #1492 to track and resolve those remaining issues.

Also, I recommend running this tool to check for any critical issues related to React2Shell: https://github.com/vercel-labs/fix-react2shell-next

[c0ball]

Since #1492 has been merged into main, this issue is resolved and is now awaiting the next release.