Skip to content

v4.10.1

Latest
Latest

Choose a tag to compare

View all tags
@brendan-kellam brendan-kellam released this 04 Dec 00:08
v4.10.1
bcca1d6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security Notice: CVE-2025-66478 (Critical)

Date: December 3, 2025

Severity: Critical (CVSS 10.0)

CVE: CVE-2025-66478

Summary

A critical remote code execution (RCE) vulnerability has been identified in Next.js and React that affects Sourcebot versions 4.6.5 through 4.10.0 (inclusive). This vulnerability (CVE-2025-66478) exists in the React Flight protocol and could allow an attacker to execute arbitrary code on affected systems.

Affected Versions

The following Sourcebot versions are vulnerable and require immediate upgrade:

  • 4.6.5 through 4.10.0 (all versions in this range)

Fixed Versions

  • 4.10.1 and later (released December 3, 2025)

Recommended Action

Immediate upgrade required. All users running Sourcebot versions 4.6.5 through 4.10.0 should upgrade to version 4.10.1 or later immediately.

Additional Information

This vulnerability was fixed in Sourcebot v4.10.1 by updating Next.js to version 15.5.7 and React to version 19.2.1, which include the upstream security patches.

References

GitHub Security Advisory
CVE-2025-66478
Sourcebot Changelog

Questions or Concerns

If you have any questions or need assistance with the upgrade, please contact team@sourcebot.dev or open an issue on GitHub.

Note: Sourcebot versions 4.6.4 and earlier are not affected by this vulnerability, as they use Next.js 14.x and React 18, which are not impacted by this CVE.

What's Changed

New Contributors

Full Changelog: v4.10.0...v4.10.1

Contributors

thespad and brendan-kellam
Assets 2
Loading