fix(deps): update dependency next to v14 [security] by renovate[bot] · Pull Request #98 · mikan3rd/nest-next-sample

renovate · 2021-08-12T18:12:28Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	`10.2.3` → `14.2.35`

XSS in Image Optimization API for Next.js

CVE-2021-39178 / GHSA-9gr3-7897-pp7m

More information

Details

Impact

Affected: All of the following must be true to be affected
- Next.js between version 10.0.0 and 11.1.0
- The next.config.js file has images.domains array assigned
- The image host assigned in images.domains allows user-provided SVG
Not affected: The next.config.js file has images.loader assigned to something other than default
Not affected: Deployments on Vercel are not affected

Patches

Next.js v11.1.1

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

CVE-2022-23646 / GHSA-fmvm-x8mv-47mj

More information

Details

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

Affected: All of the following must be true to be affected
- Next.js between version 10.0.0 and 12.0.10
- The next.config.js file has images.domains array assigned
- The image host assigned in images.domains allows user-provided SVG
Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

Severity

CVSS Score: 5.9 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Unexpected server crash in Next.js.

CVE-2021-43803 / GHSA-25mp-g6fv-mqxx

More information

Details

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Open Redirect in Next.js

CVE-2021-37699 / GHSA-vxf5-wxwp-m7g9

More information

Details

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.

Impact

Affected: Users of Next.js between 10.0.5 and 10.2.0
Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
Not affected: Deployments on Vercel (vercel.com) are not affected
Not affected: Deployments with pages/404.js
Note that versions prior to 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

Patches

https://github.com/vercel/next.js/releases/tag/v11.1.0

Severity

CVSS Score: 6.9 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js missing cache-control header may lead to CDN caching empty reply

CVE-2023-46298 / GHSA-c59h-r6p8-q9wc

More information

Details

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

Severity

Low

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Denial of Service condition in Next.js image optimization

CVE-2024-47831 / GHSA-g77x-44xx-532m

More information

Details

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

Severity

CVSS Score: 4.6 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js authorization bypass vulnerability

CVE-2024-51479 / GHSA-7gfc-8cq8-jh5f

More information

Details

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

CVE-2025-57752 / GHSA-g5qg-72qw-gw5v

More information

Details

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

Severity

CVSS Score: 6.2 / 10 (Medium)
Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js Content Injection Vulnerability for Image Optimization

CVE-2025-55173 / GHSA-xv57-4mr9-wg8v

More information

Details

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

Severity

CVSS Score: 4.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js Improper Middleware Redirect Handling Leads to SSRF

CVE-2025-57822 / GHSA-4342-x723-ch2f

More information

Details

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

Severity

CVSS Score: 6.5 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Next.js Race Condition to Cache Poisoning

CVE-2025-32421 / GHSA-qpjv-v59x-3qc4

More information

Details

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

Severity

CVSS Score: 3.7 / 10 (Low)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

vercel/next.js (next)

Conversation

renovate Bot commented Aug 12, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

XSS in Image Optimization API for Next.js

Details

Impact

Patches

Severity

References

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Details

Impact

Patches

Workarounds

Severity

References

Unexpected server crash in Next.js.

Details

Severity

References

Open Redirect in Next.js

Details

Impact

Patches

Severity

References

Next.js missing cache-control header may lead to CDN caching empty reply

Details

Severity

References

Denial of Service condition in Next.js image optimization

Details

Impact

Patches

Workarounds

Credits

Severity

References

Next.js authorization bypass vulnerability

Details

Impact

Patches

Workarounds

Credits

Severity

References

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Details

Severity

References

Next.js Content Injection Vulnerability for Image Optimization

Details

Severity

References

Next.js Improper Middleware Redirect Handling Leads to SSRF

Details

Severity

References

Next.js Race Condition to Cache Poisoning

Details

Severity

References

Release Notes

Core Changes

Credits

Core Changes

Credits

Core Changes

Credits

Core Changes

Credits

Core Changes

Credits

Core Changes

Credits

Core Changes

Credits

Core Changes

Core Changes

Credits

renovate Bot commented Aug 12, 2021 •

edited

Loading

Support `esmExternals` in app directory