Well, this is embarrassing! I was in my study on the 5th December doing some work, and I noticed that one of my Raspberry Pi's fans was making a lot of noise. So I had a quick look, and sure enough there was a process consuming 350% CPU and on a closer look at my network, I also noticed a huge amount of outbound traffic.
So I shut the RPi down and started investigating.
Firstly to check if I had exposed any secrets. Now, the RPi was isolated in its on VLAN, so in theory it had no access to any personal information in the rest of my network. Also there is nothing not already in the public domain stored on my RPi.
So I was mostly happy that nothing was compromised. My assumption is that the code was running as part of a bot-net, or some file sharing system.
Next, I wanted to know what the attack vector was to my home lab. I always try to be careful when hosting, but the hackers are always one step ahead!
The only way in to my network would have been through ports for http (80) and https (443) as everything else is blocked by my firewall - I did check! So it had to be to do with one of the services I host.
A quick investigation bought Next.js's posting of CVE-2025-55182 to my attention. This would allow a malicious actor to construct a query to a website that would allow execution of arbitrary code on the host. That sounds very much like what was happening to me.
So, I spent a bit of time upgrading the website to use the latest version of NextJS includes the patched version of React, and deployed to my RPi. Because I wanted to get the site up as quickly as possible, I have had to deploy with some issues in CSS styling due to tailwind changes, but we are live again.
A quick check over a 24 hour period, and there is no recurrence of the excessive CPU usage, or outbound network traffic. So for now I am happy that the issue has been fixed.
That was quick! From announcing the vulnerability on the 3rd December 2025, to my lowly, hardly anybody visits, self-hosted website being hacked, took less than 2 days!
Always... and I mean ALWAYS keep your internet facing code patched and up-to-date!
It doesn't matter how big or small you are, there is data to be farmed, or CPU cycles to be stolen. So keep yourself protected. I know it can be a drag, with upstream API changes requiring you to invest hours of work just to deploy what you already had deployed. But security should never be an afterthought.
Stay safe ❤️