security: fix Next.js CVE-2025-55183, CVE-2025-55184, CVE-2025-67779 vulnerabilities

[devin-ai-integration]

Summary

Updates Next.js from 15.1.6 to 15.1.11 to address critical security vulnerabilities disclosed in the December 11, 2025 security update:

• CVE-2025-55184 (High): Denial of Service via malicious HTTP request causing server to hang
• CVE-2025-55183 (Medium): Source code exposure of Server Functions via crafted request
• CVE-2025-67779 (High): Incomplete fix for CVE-2025-55184

Review & Testing Checklist for Human

• Run pnpm install or npm install to regenerate the lockfile (not included in this PR)
• Verify the app builds successfully: pnpm build
• Quick smoke test: run pnpm dev and confirm the app loads correctly

Recommended test plan: After regenerating the lockfile, build and start the dev server to verify basic functionality works as expected.

Notes

This is a patch version bump (15.1.6 → 15.1.11) which should be backward compatible. The lockfile was not included in this PR and will need to be regenerated after merge.

Link to Devin run: https://app.devin.ai/sessions/f5afeb83b1fd4b1590f6b6d9bc24874f
Requested by: Robin (@jcurbelo)

---

[devin-ai-integration]

Original prompt from Robin

Please search all private and public repositories within the 'Paella-Labs' and 'Crossmint' organizations for the Next.js vulnerability described in the security update from December 11, 2025 (https://nextjs.org/blog/security-update-2025-12-11).

- If the vulnerability is detected, apply the patch using `npx fix-react2shell-next`.
- Ensure all necessary steps for applying the patch are followed.
- For each repository where a patch is applied, create a Pull Request.
- Be aware that some repositories may be monorepos or have the Next.js application located in subfolders; adjust the patching process accordingly.

Submit a Pull Request for each affected repository. Do not test locally; rely on CI to pass.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[greptile-apps]

Greptile Overview

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• Score reflects a straightforward security patch version bump (15.1.6 → 15.1.11) that addresses critical CVEs with no breaking changes expected. The change is limited to a single dependency version update in package.json.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
launchpad-starter-next-app/package.json	5/5	Updated Next.js from 15.1.6 to 15.1.11 to patch critical security vulnerabilities (CVE-2025-55184, CVE-2025-55183, CVE-2025-67779)

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

style: Lockfile (pnpm-lock.yaml) still references next@15.1.6 and needs regeneration to complete this security update.

Check that pnpm install is run after merging.

Prompt To Fix With AI

This is a comment left during a code review.
Path: launchpad-starter-next-app/package.json
Line: 27:27

Comment:
**style:** Lockfile (`pnpm-lock.yaml`) still references `next@15.1.6` and needs regeneration to complete this security update.

Check that `pnpm install` is run after merging.

How can I resolve this? If you propose a fix, please make it concise.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional flag.