chore(deps): update dependency next to v15 [security]#124
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
requested review from
Jaszkowic,
ff6347,
hanshack and
raphael-arce
as code owners
September 27, 2024 02:24
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
November 4, 2024 05:11
3d47941 to
f627bcd
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
December 21, 2024 17:39
f627bcd to
8b5baa9
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
May 17, 2025 04:18
8b5baa9 to
5fd1f41
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
September 1, 2025 11:55
5fd1f41 to
26b0623
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
December 13, 2025 07:59
26b0623 to
feb84ea
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
March 4, 2026 07:59
feb84ea to
d342c19
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
March 4, 2026 09:17
d342c19 to
0f25ef4
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
March 5, 2026 13:40
0f25ef4 to
109b5ca
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
March 8, 2026 08:06
109b5ca to
19f0140
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
March 10, 2026 21:58
19f0140 to
aebf07b
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
March 31, 2026 17:05
aebf07b to
3d3f02b
Compare
Contributor
Author
|
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
May 14, 2026 19:37
3d3f02b to
f556acc
Compare
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
June 8, 2026 11:17
f556acc to
09b309b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
12.3.3→15.5.16Next.js missing cache-control header may lead to CDN caching empty reply
CVE-2023-46298 / GHSA-c59h-r6p8-q9wc
More information
Details
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
Severity
Low
References
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js authorization bypass vulnerability
CVE-2024-51479 / GHSA-7gfc-8cq8-jh5f
More information
Details
Impact
If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.
Patches
This issue was patched in Next.js
14.2.15and later.If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
CVE-2025-57752 / GHSA-g5qg-72qw-gw5v
More information
Details
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as
CookieorAuthorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
More details at Vercel Changelog
Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js Content Injection Vulnerability for Image Optimization
CVE-2025-55173 / GHSA-xv57-4mr9-wg8v
More information
Details
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on
images.domainsorimages.remotePatternsare encouraged to upgrade and verify that external image sources are strictly validated.More details at Vercel Changelog
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js Improper Middleware Redirect Handling Leads to SSRF
CVE-2025-57822 / GHSA-4342-x723-ch2f
More information
Details
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into
NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the
next()function.More details at Vercel Changelog
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js Race Condition to Cache Poisoning
CVE-2025-32421 / GHSA-qpjv-v59x-3qc4
More information
Details
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve
pagePropsdata instead of standard HTML.Learn more here
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Authorization Bypass in Next.js Middleware
CVE-2025-29927 / GHSA-f82v-jwr5-mffw
More information
Details
Impact
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
Patches
15.2.314.2.25Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.
Workaround
If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the
x-middleware-subrequestheader from reaching your Next.js application.Credits
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js: HTTP request smuggling in rewrites
CVE-2026-29057 / GHSA-ggv3-7p47-pfv8
More information
Details
Summary
When Next.js rewrites proxy traffic to an external backend, a crafted
DELETE/OPTIONSrequest usingTransfer-Encoding: chunkedcould trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.Impact
An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.
Patches
The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so
content-length: 0is added only when bothcontent-lengthandtransfer-encodingare absent, andtransfer-encodingis no longer removed in that code path.Workarounds
If upgrade is not immediately possible:
DELETE/OPTIONSrequests on rewritten routes at your edge/proxy.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
CVE-2026-44573 / GHSA-36qx-fr4f-26g5
More information
Details
Impact
Applications using the Pages Router with
i18nconfigured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less/_next/data/<buildId>/<page>.jsonrequests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.Fix
The matcher logic was updated to perform the same match as it would on a non-i18n data route.
Workarounds
If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js's Middleware / Proxy redirects can be cache-poisoned
CVE-2026-44572 / GHSA-3g8h-86w9-wvmq
More information
Details
Impact
Next.js uses the
x-nextjs-datarequest header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect.When that happened, the middleware/proxy could treat the request as a data request and replace the standard
Locationredirect header with the internalx-nextjs-redirectheader. Browsers do not followx-nextjs-redirect, so the response became an unusable redirect for normal clients.If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a
Locationheader, causing a denial of service for that redirect path until the cache entry expired or was purged.Affected scenarios
This affects applications that:
Fix
The fix stops trusting
x-nextjs-databy itself for middleware redirect handling. A request is now treated as an internal data request only when it is validated as such by internal routing state, preserving legitimate data-request redirect behavior while preventing external header injection from changing normal redirect responses.Workarounds
Before upgrading, users can reduce risk by:
x-nextjs-datafor affected responsesSeverity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vercel/next.js (next)
v15.5.16Compare Source
This release contains security fixes for the following advisories:
High:
Moderate:
Low:
v15.5.15Compare Source
Please refer the following changelogs for more information about this security release:
https://vercel.com/changelog/summary-of-cve-2026-23869
v15.5.14Compare Source
Core Changes
Credits
Huge thanks to @styfle and @lllomh for helping!
v15.5.13Compare Source
Core Changes
Credits
Huge thanks to @ztanner for helping!
v15.5.12Compare Source
This is a re-release of v15.5.11 applying the turbopack changes.
v15.5.11Compare Source
Core Changes
Credits
Huge thanks to @timneutkens, @mischnic, @ztanner, and @wyattjoh for helping!
v15.5.10Compare Source
Please refer the following changelogs for more information about this security release:
v15.5.9Compare Source
Please see the Next.js Security Update for information about this security patch.
v15.5.8Compare Source
v15.5.7Compare Source
Please see CVE-2025-66478 for additional details about this release.
v15.5.6Compare Source
Core Changes
Credits
Huge thanks to @mischnic for helping!
v15.5.5Compare Source
Core Changes
experimental.middlewareClientMaxBodySizebody cloning limit (#84722)Misc Changes
Credits
Huge thanks to @devjiwonchoi, @ztanner, and @icyJoseph for helping!
v15.5.4Compare Source
Core Changes
Misc Changes
Credits
Huge thanks to @yiminghe, @huozhi, @devjiwonchoi, @mischnic, @lukesandberg, @ztanner, @icyJoseph, @leerob, @fufuShih, @dwrth, @aymericzip, @obendev, @molebox, @OoMNoO, @pontasan, @styfle, @HondaYt, @ryuapp, @lpalmes, and @ijjk for helping!
v15.5.3Compare Source
Core Changes
Credits
Huge thanks to @bgub for helping!
v15.5.2Compare Source
Core Changes
Credits
Huge thanks to @bgub and @ztanner for helping!
v15.5.1Compare Source
Core Changes
Credits
Huge thanks to @bgub, @mischnic, and @ztanner for helping!
v15.5.0Compare Source
Core Changes
@typescript-eslint/switch-exhaustiveness-checkrule: #81583React.unstable_postpone(): #81652images.qualitiesis undefined: #81690pprordynamicIOenabled: #81668__turbopack_load_by_url__: #8166397cdd5d3-20250710to2f0e7e57-20250715: #81678renderToStringfunction: #817072f0e7e57-20250715tod85ec5f5-20250716: #81708next-serverVM: #81664headers/cookies/draftModein'use cache': #81716d85ec5f5-20250716todffacc7b-20250717: #81767getExpectedRequestStorefunction: #81791.next/cache: #81807dffacc7b-20250717toe9638c33-20250721: #81899'use cache: private': #81816browserslist: #81851run-turbopack-compilertrace span: #81917e9638c33-20250721to7513996f-20250722: #819407513996f-20250722toedac0dde-20250723: #81984exhaustive-depsviolations: #82010edac0dde-20250723to3d14fcf0-20250724: #820203d14fcf0-20250724to19baee81-20250725: #8206319baee81-20250725toeaee5308-20250728: #82120eaee5308-20250728to9be531cd-20250729: #82159@next/codemod: update docs url in README: #82135@next/codemod: Addexperimental.turbototurbopackcodemod for Next.js configs: #82134NextRequesttypes: #821729be531cd-20250729to9784cb37-20250730: #82207TURBOPACKenv before loading config: #82162outputFileTracingRootorturbopack.rootoption is provided: #821649784cb37-20250730toc260b38d-20250731: #82247Configuration
📅 Schedule: (in timezone Europe/Berlin)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.