Next.js Cache Poisoning vulnerability on latest react-email 3.0.1 #1734
Replies: 3 comments 1 reply
-
|
https://github.com/resend/react-email/security/advisories/GHSA-66rw-vq7j-wvq2 and as a temporary solution you can override this dependency in package.json "overrides": {
"react-email": {
"next": "^14.2.15"
}
}, |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @pavelsushkov that was one of the things I tried but for some reason, npm didn't follow my overrides and still installed the old version in package-lock.json (I'm assuming this was some NPM bug) The process to get this override working was pretty involved. I had to manually replace all incorrect versions of next inside Ideally react-email can update this security vulnerability themselves |
Beta Was this translation helpful? Give feedback.
-
|
As an additional datapoint, I tried the ovverrides with I'm pretty sure that's worth opening an issue? @brandon-rilla do you want to open one from this discussion? |
Beta Was this translation helpful? Give feedback.
-
|
Apparently fixed in #1692 and staged for release in |
Beta Was this translation helpful? Give feedback.
-
Anyone else experiencing this security issue?
Looks like it's because react-email is using "Next.js between 13.5.1 and 14.2.9"
I might end up just removing the
react-emaildependency if they don't upgrade their dependecy to Next.js >14.2.9Beta Was this translation helpful? Give feedback.
All reactions