Was rallly vulnerable to the react CVE ?

[seals187]

I got strange behavior on my vps where I host diff apps.
1-2 days ago rallly became 100% unreachable, I stopped and
restarted the docker container. It worked again, but today 10.12.2025
rallly had high memory usage, took almost all my ram on my vps, and it als got high disk reads...

can you "maintainers" please give a statemend to this react cve
https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

I saw you updated the reace version the apps uses, but I dont see any transparent
communication, I missed it ?

cheers

[lukevella]

Yes, Rallly is built with Next.js and so it was vulnerable to the React2Shell CVE. I updated the vulnerable dependencies the day the CVE was announced and released a patch for self-hosters with instructions to update immediately.

I've gotten a number of reports now from users running vulnerable versions and it's clear that I need a better way to communicate these sorts of issues to administrators of self-hosted instances. I'm open to suggestions on how this should be communicated.

[david-uhlig]

I appreciate that you quickly released a patch and reached out to paying customers by email. However, please consider that the contact information from the person paying for the licence isn't always equivalent to the system administrator. So this information might be delayed or lost entirely.

I'm open to suggestions on how this should be communicated.

• I think it would have been warranted to publish this CVE as a vulnerability on the security section. This way, administrators can subscribe to security alerts through the watch feature.
• Additionally, some sort of security mailing list would be appreciated. Maybe subscribable through the admin interface to make it easily discoverable.

[seals187]

damn, well at least a yellow banner on your github page ? that indicates it clearly and transparent that
the app is vulnerable and we all should stop it, update it, check the systems on which we host it etc..

If I need to read your release notes, and ask questions if its vulnerable,
damn thats a crappy userservice.
for me rallly is gone 4-ever

[lukevella]

I understand the frustration, and I’m sorry this incident affected you. To clarify: the README isn’t a practical channel for urgent security notices, since updates there don’t notify anyone. For time-sensitive issues like this, release notes are the correct mechanism because they trigger notifications for anyone watching the repository.

In this case, the release notes explicitly stated that a critical CVE had been fixed and urged all users to update immediately. I recommend watching the repo if you’d like to receive automatic emails for future releases.

This was an unprecedented situation, and I was impacted as well. I’m taking every possible step to address the issue thoroughly and transparently.