[bug]: Potential React2Shell Vulnerability in Plane

[su-four]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

Hello Plane team,

I noticed that Plane is using Next.js 16.0.7, which is reported to be affected by the React2Shell (CVE-2025-55182) vulnerability. This vulnerability can allow remote code execution via React Server Components and the App Router.

Could you please clarify:

Are Plane deployments using Server Components or App Router features that could expose them to React2Shell?

If so, are there patched versions or recommended upgrades to mitigate the risk?

Are there security guidelines for safely deploying Plane in a public environment until patches are applied?

Thank you for your attention — your guidance will help ensure safe adoption of Plane in production environments.

Steps to reproduce

1. checkout the package.json

Environment

Production

Browser

None

Variant

Self-hosted

Version

1.1.0

[sriramveeraghanta]

We are releasing an update to the Plane Community Edition that will remove all dependencies with the Next.js version that is currently in effect.

[pushya22]

Hi @su-four Please upgrade to our latest version v1.2.1, we have removed all dependencies with the Next.js version