|
| 1 | +# Security Incident Report |
| 2 | +**Date:** January 31, 2026 |
| 3 | +**Project:** TaimakoAI |
| 4 | +**Severity:** Critical |
| 5 | +**Status:** Resolved (Monitoring Required) |
| 6 | + |
| 7 | +## Executive Summary |
| 8 | +On January 31, 2026, during routine maintenance, a **Critical Remote Code Execution (RCE)** vulnerability was detected in the frontend application. The vulnerability allowed unauthorized actors to execute system commands on the server. The attack vector was identified as a known security flaw in **Next.js 16.0.3**. Immediate remediation was performed by patching the software and restricting network configurations. |
| 9 | + |
| 10 | +## 1. Incident Details |
| 11 | +- **Component:** `taimako_frontend` (Next.js Application) |
| 12 | +- **Vulnerability Type:** Remote Code Execution (RCE) via Deserialization (CVE-2025-55182 / CVE-2025-66478) |
| 13 | +- **Affected Version:** Next.js `16.0.3` |
| 14 | +- **Detected:** January 31, 2026, 17:21 PM (local time) based on 502 Bad Gateway investigation. |
| 15 | + |
| 16 | +## 2. Root Cause Analysis |
| 17 | +The application was running an outdated version of Next.js (`16.0.3`) which contained a critical vulnerability in the React Server Components (RSC) payload handling. |
| 18 | +- **Mechanism:** Attackers sent maliciously crafted HTTP requests that the server deserialized, resulting in arbitrary shell command execution. |
| 19 | +- **Exploitation:** Logs confirmed active exploitation where attackers ran commands to list directories and print environment variables. |
| 20 | + |
| 21 | +## 3. Detection & Evidence |
| 22 | +The incident was discovered while investigating `502 Bad Gateway` errors. Review of the Docker logs (`docker logs taimako_frontend`) revealed: |
| 23 | +- **Abnormal Error Dumps**: `NEXT_REDIRECT` errors containing output of system commands. |
| 24 | +- **Command Execution**: |
| 25 | + - `ls -la /var/www/.env*` (Attempting to locate secret files) |
| 26 | + - `id`, `uname` (System reconnaissance) |
| 27 | + - `base64` verification logic. |
| 28 | +- **Environment Leak**: Error stack traces displayed the contents of environment variables, including configuration keys. |
| 29 | + |
| 30 | +## 4. Resolution & Mitigation |
| 31 | +The following corrective actions were taken immediately: |
| 32 | +1. **Software Patch**: Upgraded `next` dependency from `16.0.3` to `^16.0.7` (Current installed: `16.1.6`). |
| 33 | +2. **Configuration Hardening**: |
| 34 | + - Refactored Backend configuration to enforce **Strict CORS** policies in production. |
| 35 | + - Centralized middleware management. |
| 36 | +3. **Secret Rotation (Required User Action)**: |
| 37 | + - Initiated rotation protocol for `POSTGRES_PASSWORD`, `JWT_SECRET`, and `GOOGLE_CLIENT_SECRET`. |
| 38 | + |
| 39 | +## 5. Impact Assessment |
| 40 | +- **Data Confidentiality**: **High Risk**. Environment variables were exposed in logs. Secrets must be assumed compromised. |
| 41 | +- **Data Integrity**: **Medium Risk**. Attackers had shell access, but no evidence of database deletion was found in the limited log window. |
| 42 | +- **Availability**: **High Impact**. The attack caused the frontend service to crash repeatedly (502 errors). |
| 43 | + |
| 44 | +## 6. Recommendations & Next Steps |
| 45 | +1. **Immediate**: Complete the rotation of all production secrets (Database, JWT, API Keys). |
| 46 | +2. **Deployment**: Re-deploy all services with the patched Docker images. |
| 47 | +3. **Monitoring**: Monitor logs for the next 48 hours for any "NEXT_REDIRECT" anomalies or suspicious IP activity. |
| 48 | +4. **Process**: Implement a dependency scanning tool (e.g., Dependabot or Snyk) to catch upstream vulnerabilities earlier. |
0 commit comments