cal.com affected by CVE-2025-66478?

[ohR9]

There is a newly disclosed CVSS 10 RCE vulnerability in certain versions of React/NextJS, see

GHSA-9qr9-h5gf-34mp
and
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

Did somebody already analyze if Cal.com is affected by this? The NextJS version seems to be vulnerable but the react version not?

[padey]

They are.

[jaydrogers]

Is it possible to get any official word on this?

I saw this commit bumping the versions, but the 5.9.9 release notes just casually mention "bump nextjs version".

If this project is truly affected by this vulnerability

It might be good to send a security notice for everyone to upgrade? I'm just concerned about all the folks who are hosting the project themselves and are not aware of the implications if they do not upgrade.

[HannesOberreiter]

Self-hosted without Cloudflare, which would have been helpful here as our "attack" was after their shaky fix, but yeah still no fan of cloudflare for our data.

[padey]

I have shutdown our container Thursday night after the first POC was available and all scanners showed vulnerable. Also opened a security ticket - now the docker build is faulty with the new next.js version. By the way, looks like some of the mitigations/wag don't work.

Have to check shodan later to see how many appliances are readable.

[padey]

https://github.com/assetnote/react2shell-scanner

[keithwillcode]

Hey all. First off, apologies for the delay on this. We've been way too slow to respond and it's something we'll be fixing internally so our reaction time is much faster.

Here is an advisory I've just published with links to all places to get v5.9.9 / v5.9.10 or the direct patch. GHSA-qjx2-5xqp-cpf4

[pdmarf]

yep, my self hosted vps running cal.com was hit and a crypto miner installed. 🤯 I only noticed when the cpu was maxed out - a real pain!

[padey]

funfact. their AI support mail agent responded complete bullshit to me (and we are paying customers..) when arguing about the CVE's - no human contact.

[pdmarf]

crazy....

[keithwillcode]

I've raised this internally. Last thing we want is the AI responding with crap answers. We're on it.

[padey]

Florian just published, that they have detection rules (THOR) for CVE-2025-55182 react2shell .. https://x.com/cyb3rops/status/1997256280126242926

[ivandoomer]

Looks like my docker compose run was compomissed, I opened a discussion here with my log some minutes ago and my account ìvancarlosti was suspended almost instantly, the discussion article opened here was deleted o.o

How could the exploration of this vuln affects my Microsoft/Google keys and other docker containers running on same server?

I time, there is anything calcom can do to advocate for my account to ask Github to reinstate it?

[padey]

Anyone who operates a cal.com instance themselves and has not updated it by Friday, December 5, or taken the server offline, should check their server for webshells, cryptominers, etc. – do yourself a favor and run THOR (an IOC scanner) on it. The Lite version should also include the React2Shell Sigma Rules for detecting attack patterns... but I'm not 100% sure at the moment.

-> https://www.nextron-systems.com/thor-lite/

[jkoopmann]

Just noticed that my system was hacked. It did not receive the update due to bug #25182

I would love to simply kill the image and reload a working :latest one that I can run on my server. Question is how?

[tigerblue77]

Sorry, I have no clue what you're doing wrong but v5.9.11 tag is definitely for amd64 architecture and I deployed it successfully this afternoon without modifying my configuration from v5.9.1

[pdmarf]

Thanks @tigerblue77 , that's good to know. I'll try it again

[pdmarf]

every day is a learning day... i was actually using the latest tag which gives the error Error response from daemon: no matching manifest for linux/amd64 in the manifest list. I assumed that would pull v5.9.11 but it did not for amd64. tag v5.9.11 worked. thanks for the input @tigerblue77

[tigerblue77]

Let me rephrase :

every day is a learning day... i was actually using the latest tag which has a bug and is now pointing to arm64 image

=> see #25182 that @jkoopmann mentioned but that you probably didn't read before replying to his comment.

So it was giving me the error Error response from daemon: no matching manifest for linux/amd64 in the manifest list as this image is only built for arm64 architecture, not for amd64. I assumed that would pull v5.9.11 for amd64 as it is the most used architecture for this kind of projects but it did not. Tag v5.9.11 worked as it is still pointing to amd64 architecture build. I could have checked that directly in the Docker Hub repository that I'm downloading my images from : https://hub.docker.com/r/calcom/cal.com/tags

Or in short rude dev version : RTFM.

Or in short nice @tigerblue77's version : I'm glad that you learnt how this works and I wish @asm0dey learns it too (linked to your comment on #25182).

Hope you don't take it bad, wish you both the best.
Respectfully,

[asm0dey]

This part I know, I didn't know that the new tag is published, and there is amd64 support

[HannesOberreiter]

Two more CVE incoming, https://nextjs.org/blog/security-update-2025-12-11

As far as I can tell cal.com is one version behind the fix (next 15.5.8 < 15.5.9).

(I hope no .env variables are compiled into the source code on docker container startup, need to have a look into it. I believe only the URLs are hardcoded replaced on startup into the source code.)

[padey]

yes... @keithwillcode

[keithwillcode]

We are on it cc @volnei @emrysal

[keithwillcode]

This is now fixed in v5.9.15 by this PR.

We saw that the Docker builds have failed for this release and are fixing that now.

[Bakkerach]

Just adding a data point for anyone investigating this on their machine:

I found XMRig running inside my Cal.com container, dropped as /tmp/.XIN-unix/javae with a standard config.json pointing to pool.supportxmr.com.

Additional symptom that may be related:

• The Cal.com container was intermittently reporting unhealthy for ~1 week prior, seemingly at random.
• This stopped once the miner was removed and the container rebuilt.
• My assumption is the health check was failing due to resource contention or the miner failing/crashing during startup.

Key observations:

• Miner lived only in /tmp (no startup scripts, no image modification)
• No docker.sock mount, no privileged container
• No evidence of host compromise
• Process respawned aggressively when filesystem scanning (e.g. ClamAV) started
• Restarting the container from a latest image removed it.
• Suggest checking for unexpected executables in /tmp or /dev/shm and monitoring for processes spawning from those paths.

Hope this helps others debugging similar symptoms.

[padey]

https://beelzebub.ai/blog/threat-huntinga-analysis-of-a-nextjs-exploit-campaign/

"What they're doing:

• Chaining CVE-2025-29927 + CVE-2025-66478 for RCE
• Harvesting .env files, SSH keys, AWS creds, Docker configs, Git credentials
• Dropping persistent backdoors
• Everything flows through their open C2 - task queues, exfil data, the works"

Analysing the 5.9.12 image, still shows a lot of out-dated dependecies - not related to next.js..
@keithwillcode do you include also no needed libaries in your builds? there are about 34k compomentens when scanning the docker image...

[asm0dey]

FTR #25880

[asm0dey]

Had to temporarily shutdown my instance :(

[keithwillcode]

@padey Yes, we are working actively on cleaning up our dependencies. @volnei and @pedroccastro are working hard on it now.

[xcellentavi]

FYI @keithwillcode @emrysal, the latest version on Docker Hub is 5.9.14. I will wait until newer versions can be added before running it again: https://hub.docker.com/r/calcom/cal.com/tags

[keithwillcode]

@xcellentavi Latest for v6.0 are there now.

[xcellentavi]

Thank you, running v6.0.2, no problems so far.

[ivandoomer]

My main GitHub account ivancarlosti remains banned by 2+ weeks and counting, just because I posted on this repo a snipplet of my log, and on my log had a link of a malware injected on my server by this vuln 😠

Please, there is any change of someone on calcom side (@PeerRich @hariombalhara @alishaz-polymath) asks GitHub to unban my account? I opened a ticket but no answer until now

[keithwillcode]

Will see what we can do

[ivandoomer]

Will see what we can do

My account is reactivated 🥳🎉 I opened aticket through enterprise

[keithwillcode]

Great!