v4.10.1

Security Notice: CVE-2025-66478 (Critical)

Date: December 3, 2025

Severity: Critical (CVSS 10.0)

CVE: CVE-2025-66478

Summary

A critical remote code execution (RCE) vulnerability has been identified in Next.js and React that affects Sourcebot versions 4.6.5 through 4.10.0 (inclusive). This vulnerability (CVE-2025-66478) exists in the React Flight protocol and could allow an attacker to execute arbitrary code on affected systems.

Affected Versions

The following Sourcebot versions are vulnerable and require immediate upgrade:

• 4.6.5 through 4.10.0 (all versions in this range)

Fixed Versions

• 4.10.1 and later (released December 3, 2025)

Recommended Action

Immediate upgrade required. All users running Sourcebot versions 4.6.5 through 4.10.0 should upgrade to version 4.10.1 or later immediately.

Additional Information

This vulnerability was fixed in Sourcebot v4.10.1 by updating Next.js to version 15.5.7 and React to version 19.2.1, which include the upstream security patches.

References

GitHub Security Advisory
CVE-2025-66478
Sourcebot Changelog

Questions or Concerns

If you have any questions or need assistance with the upgrade, please contact team@sourcebot.dev or open an issue on GitHub.

Note: Sourcebot versions 4.6.4 and earlier are not affected by this vulnerability, as they use Next.js 14.x and React 18, which are not impacted by this CVE.

---

What's Changed

• fix(web): Fix issue where quotes cannot be used within a query by @brendan-kellam in #629
• feat(worker): Add ALWAYS_INDEX_FILE_PATTERNS env var to specify files that should always be indexed by @brendan-kellam in #631
• fix discord link by @brendan-kellam in #634
• fix(web): Fix error when loading files with special characters by @brendan-kellam in #637
• fix(web): Ask sourcebot perf improvements by @brendan-kellam in #632
• fix(web): Fix issue where creating a new Ask thread would result in a 404 by @brendan-kellam in #641
• Shrink Docker image size by ~1/3 by removing unnecessary ops by @thespad in #642
• chore(web): Bake PostHog token into build by @brendan-kellam in #648
• chore(web): Scope code nav to current repository by default by @brendan-kellam in #647
• fix(web): Fix CVE 2025-55182 by @brendan-kellam in #654
• chore(web): Fix mistake of upgrading to a breaking version of next by @brendan-kellam in #656
• chore(web): Server side search telemetry by @brendan-kellam in #652

New Contributors

• @thespad made their first contribution in #642

Full Changelog: v4.10.0...v4.10.1

v4.10.0

Added

• Added support for streaming code search results. #623
• Added buttons to toggle case sensitivity and regex patterns. #623
• Added counts to members, requets, and invites tabs in the members settings. #621
• [Sourcebot EE] Add support for Authentik as a identity provider. #627

Changed

• Changed the default search behaviour to match patterns as substrings and not regular expressions. Regular expressions can be used by toggling the regex button in search bar. #623
• Renamed public query prefix to visibility. Allowed values for visibility are public, private, and any. #623
• Changed archived query prefix to accept values yes, no, and only. #623

Removed

• Removed case query prefix. #623
• Removed branch and b query prefixes. Please use rev: instead. #623
• Removed regex query prefix. #623

Fixed

• Fixed spurious infinite loads with explore panel, file tree, and file search command. #617
• Wipe search context on init if entitlement no longer exists #618
• Fixed Bitbucket repository exclusions not supporting glob patterns. #620
• Fixed issue where the repo driven permission syncer was attempting to sync public repositories. #624
• Fixed issue where worker would not shutdown while a permission sync job (repo or user) was in progress. #624

New Contributors

• @josegrelnx made their first contribution in #620
• @TJReinert made their first contribution in #614

Full Changelog: v4.9.2...v4.10.0

v4.9.2

What's Changed

• docs: update link for telemetry docs by @armans-code in #608
• fix(worker): properly shutdown PostHog client by @brendan-kellam in #609
• fix(worker): Run setInterval as blocking by @brendan-kellam in #607
• fix: return truncated content when token limit exceeded in MCP search_code by @waynesun09 in #604
• feat(web): Add force resync buttons for repo & connections by @brendan-kellam in #610
• fix(worker): Fix issues with gracefully shutting down by @brendan-kellam in #612
• fix(worker): Fix issue where connections would always sync on startup by @brendan-kellam in #613
• fix(web): Search performance improvements by @brendan-kellam in #615
• feat(web): Add env var to configure default max match count by @brendan-kellam in #616

New Contributors

• @armans-code made their first contribution in #608
• @waynesun09 made their first contribution in #604

Full Changelog: v4.9.1...v4.9.2

v4.9.1

What's Changed

• feat: Support running Docker container as non-root by @brendan-kellam & @pjbgf in #599
• fix(docs): Adding additional step for generating database schema in CONTRIBUTING.md by @Furbreeze in #602
• fix: Discord invite links by @brendan-kellam in #606
• feat(deployment): Basic docker-compose file by @brendan-kellam in #480

New Contributors

• @Furbreeze made their first contribution in #602
• @pjbgf made their first contribution in #599

Full Changelog: v4.9.0...v4.9.1

v4.9.0

What's Changed

• fix(ask): Extract reasoning tokens for openai compatible models by @brendan-kellam in #582
• fix(github app): Generate installation tokens each time by @msukkari in #583
• fix(web): Fix "The account is already associated with another user" errors when signing in with GitLab by @brendan-kellam in #584
• feat(ee): GitLab permission syncing by @brendan-kellam in #585
• fix(web): Fix /settings/connections throwing a error when there is a git connection present by @brendan-kellam in #588
• chore(tech-debt): Remove built-in secret manager by @msukkari in #592
• fix(worker): add p-limit to GitHub API calls to avoid overwhelming the node process (or the API rate limits) by @brianphillips in #591
• fix(backend): Limit concurrent git operations to prevent resource exhaustion by @derek-miller in #593
• feat(worker,web): Support google secrets as a token type by @brendan-kellam in #594
• feat(ee): Add ability to link external accounts by @msukkari in #595
• chore(worker): Refactor permission syncing join table to be between Account <> Repo by @brendan-kellam in #600
• feat(web,worker): Environment overrides by @brendan-kellam in #597

New Contributors

• @brianphillips made their first contribution in #591
• @derek-miller made their first contribution in #593

Full Changelog: v4.8.1...v4.9.0

v4.8.1

What's Changed

• chore(web): Bug fixes related to v4.8.0 release by @brendan-kellam in #581

Full Changelog: v4.8.0...v4.8.1

v4.8.0

Added

• Implement dynamic tab titles for files and folders in browse tab. #560
• Added support for passing db connection url as seperate DATABASE_HOST, DATABASE_USERNAME, DATABASE_PASSWORD, DATABASE_NAME, and DATABASE_ARGS env vars. #545
• Added support for GitHub Apps for service auth. #570
• Added prometheus metrics for repo index manager. #571
• Added experimental environment variable to disable API key creation for non-admin users. #577
• [Experimental][Sourcebot EE] Added REST API to get users and delete a user. #578

Fixed

• Fixed "dubious ownership" errors when cloning / fetching repos. #553
• Fixed issue with Ask Sourcebot tutorial re-appearing after restarting the browser. #563
• Fixed repoIndexTimeoutMs not being used for index job timeouts. #567

Changed

• Improved search performance for unbounded search queries. #555
• Improved homepage performance by removing client side polling. #563
• Changed navbar indexing indicator to only report progress for first time indexing jobs. #563
• Improved repo indexing job stability and robustness. #563
• Improved repositories table. #572
• Improved connections table. #579

Removed

• Removed spam "login page loaded" log. #552
• Removed connections management page. #563

New Contributors

• @aanogueira made their first contribution in #370
• @prateek041 made their first contribution in #560

Full Changelog: v4.7.3...v4.8.0

v4.7.3

What's Changed

• fix(ado): Manually pass token through http header for ado server by @msukkari in #543

Full Changelog: v4.7.2...v4.7.3

v4.7.2

What's Changed

• chore(web): Add debug logging to measure homepage load performance by @brendan-kellam in #525
• fix(perf): Add indices to hot paths for repository querying by @brendan-kellam in #526
• chore(web): Remove join on connections for getRepos by @brendan-kellam in #527
• [experimental] feat(ee): GitHub permission syncing by @brendan-kellam in #508
• chore(web): Change carousel and repository list links to link to file tree by @brendan-kellam in #528
• chore: fix support email by @brendan-kellam in #529
• fix(web): Change buttons into Links in various places by @brendan-kellam in #532

Full Changelog: v4.7.1...v4.7.2

v4.7.1

What's Changed

• fix(backend): Sourcebot not pulling github forked repos by @tarangchikhalia in #499
• fix(azure): Set username in azuredevops clone url by @msukkari in #524

New Contributors

• @tarangchikhalia made their first contribution in #499

Full Changelog: v4.7.0...v4.7.1