This PR contains the following updates:
GitHub Vulnerability Alerts
Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If theHost header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.
Prerequisites
- Next.js (
<14.1.1) is running in a self-hosted* manner. - The Next.js application makes use of Server Actions.
- The Server Action performs a redirect to a relative path which starts with a
/.
* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in#62561 and fixed in Next.js14.1.1.
Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js14.1.1.
Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
Adam Kues - Assetnote
Shubham Shah - Assetnote
Impact
By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send aCache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.
To be potentially affected all of the following must apply:
- Next.js between 13.5.1 and 14.2.9
- Using pages router
- Using non-dynamic server-side rendered routes e.g.
pages/dashboard.tsx notpages/blog/[slug].tsx
The below configurations are unaffected:
- Deployments using only app router
- Deployments onVercel are not affected
Patches
This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.
Workarounds
There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.
Credits
- Allam Rachid (zhero_)
- Henry Chen
Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Not affected:
- The
next.config.js file is configured withimages.unoptimized set totrue orimages.loader set to a non-default value. - The Next.js application is hosted on Vercel.
Patches
This issue was fully patched in Next.js14.2.7. We recommend that users upgrade to at least this version.
Workarounds
Ensure that thenext.config.js file has eitherimages.unoptimized,images.loader orimages.loaderFile assigned.
Credits
Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras
Impact
If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.
Patches
This issue was patched in Next.js14.2.15 and later.
If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
We'd like to thanktyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.
Impact
A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.
Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.
Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.
This is the same issue as if the incoming HTTP request has an invalidContent-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.
This vulnerability affects only Next.js deployments using Server Actions.
Patches
This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
Thanks to the PackDraw team for responsibly disclosing this vulnerability.
Impact
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
Patches
- For Next.js 15.x, this issue is fixed in
15.2.3 - For Next.js 14.x, this issue is fixed in
14.2.25 - For Next.js 13.x, this issue is fixed in 13.5.9
- For Next.js 12.x, this issue is fixed in 12.3.5
- For Next.js 11.x, consult the below workaround.
Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.
Workaround
If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain thex-middleware-subrequest header from reaching your Next.js application.
Credits
- Allam Rachid (zhero;)
- Allam Yasser (inzo_)
Summary
A low-severity vulnerability inNext.js has been fixed inversion 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage whilenpm run dev is active.
Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configureallowedDevOrigins in your next config after upgrading to a patched version.Learn more.
Learn more:https://vercel.com/changelog/cve-2025-48068
Credit
Thanks tosapphi-red andRadman Siddiki for responsibly disclosing this issue.
Release Notes
vercel/next.js (next)
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
Credits
Huge thanks to@ijjk and@ztanner for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Only share incremental cache for edge in next start (#79389)
Credits
Huge thanks to@ijjk for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- fix: node.js module import error when using middleware (#77945)
Credits
Huge thanks to@ztanner for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- fix dynamic route interception not working when deployed with middleware (#64923)
Credits
Huge thanks to@ztanner for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Match subrequest handling for edge and node (#77476)
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
This release contains a security patch forCVE-2025-29927.
Core Changes
- Update middleware request header (#77202)
Credits
Huge thanks to@ijjk for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- fix: ensure lint worker errors aren't silenced (#75779)
- add additional x-middleware-set-cookie filtering (#75561 𑼊)
Credits
Huge thanks to@ztanner for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- backport: force module format for virtual client-proxy (#74590)
- Backport: Use provided waitUntil for pending revalidates (#74573)
- Feature: next/image: add support for images.qualities in next.config (#74500)
Credits
Huge thanks to@styfle,@ijjk and@lubieowoce for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Retry manifest file loading only in dev mode:#73900
- Ensure workers are cleaned up:#71564
- Use shared worker for lint & typecheck steps:#74154
Credits
Huge thanks to@unstubbable,@ijjk, and@ztanner for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
Misc Changes
- chore(docs): add missing search: '' on remotePatterns:#73927
- chore(docs): update version history of next/image:#73926
Credits
Huge thanks to@unstubbable,@ztanner, and@styfle for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
Credits
Huge thanks to@wyattjoh for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- ensure worker exits bubble to parent process (#73433)
- Increase max cache tags to 128 (#73125)
Misc Changes
- Update max tag items limit in docs (#73445)
Credits
Huge thanks to@ztanner and@ijjk for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Fix: (third-parties) sendGTMEvent not queueing events before GTM init (#68683) (#72111)
- Ignore error pages for cache revalidate (#72412) (#72484)
Credits
Huge thanks to@huozhi and@ijjk for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Fix: revert the bad node binary handling (#72356)
- Ensure pages/500 handles cache-control as expected (#72050) (#72110)
- fix unhandled runtime error from generateMetadata in parallel routes (#72153)
Credits
Huge thanks to@huozhi,@ztanner, and@ijjk for helping!
Compare Source
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- support breadcrumb style catch-all parallel routes#65063
- Provide non-dynamic segments to catch-all parallel routes#65233
- Fix client reference access causing metadata missing#70732
- feat(next/image): add support for decoding prop#70298
- feat(next/image): add images.localPatterns config#70529
- fix(next/image): handle undefined images.localPatterns config in images-manifest.json
- fix: Do not omit alt on getImgProps return type, ImgProps#70608
- [i18n] Routing fix#70761
Credits
Huge thanks to@ztanner,@agadzik,@huozhi,@styfle,@icyJoseph and@wyattjoh for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Fix: clone response in first handler to prevent race (#70082) (#70649)
- Respect reexports from metadata API routes (#70508) (#70647)
- Externalize node binary modules for app router (#70646)
- Fix revalidateTag() behaviour when invoked in server components (#70446) (#70642)
- Fix prefetch bailout detection for nested loading segments (#70618)
- Add missing node modules to externals (#70382)
- Feature: next/image: add support for images.remotePatterns.search (#70302)
Credits
Huge thanks to@styfle,@ztanner,@ijjk,@huozhi and@wyattjoh for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Fix missing cache-control on SSR app route (#70265)
- feat: add polyfill of URL.canParse for browser compatibility (#70228)
- Fix vercel og package memory leak (#70214)
- Fix startTime error on Android 9 with Chrome 74 (#67391)
Credits
Huge thanks to@raeyoung-kim,@huozhi,@devjiwonchoi, and@ijjk for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- update prefetching jsdoc & documentation (#68047)
- Ensure we chunk revalidate tag requests (#70189)
- (backport) fix(eslint): allow typescript-eslint v8 (#70090)
- [ppr] Don't mark RSC requests as /_next/data requests (backport of#66249) (#70083)
Credits
Huge thanks to@alvarlagerlof,@wyattjoh,@delbaoliveira, and@ijjk for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- fix: correct metadata url suffix (#69959)
- fix: setting assetPrefix to URL format breaks HMR (#70040)
- Update revalidateTag to batch tags in one request (#65296)
Credits
Huge thanks to@huozhi,@devjiwonchoi, and@ijjk for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Remove invalid fallback revalidate value (#69990)
- Revert server action optimization (#69925)
- Add ability to customize Cache-Control (#69802)
Credits
Huge thanks to@huozhi and@ijjk for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Revert "Fix esm property def in flight loader (#66990)" (#69749)
- Disable experimental.optimizeServer by default to fix failed server action (#69788)
- Fix middleware fallback: false case (#69799)
- Fix status code for /_not-found route (#64058) (#69808)
- Fix metadata prop merging (#69807)
- create-next-app: fix font file corruption when using import alias (#69806)
Credits
Huge thanks to@huozhi,@ztanner,@ijjk, and@lubieowoce for helping!
Compare Source
What's Changed
[!NOTE]
This release is backporting bug fixes and minor improvements. It doesnot include all pending features/changes on canary.
SupportesmExternals in app directory
Reading cookies set in middleware in components and actions
- initialize ALS with cookies in middleware (#65008)
- fix middleware cookie initialization (#65820)
- ensure cookies set in middleware can be read in a server action (#67924)
- fix: merged middleware cookies should preserve options (#67956)
Metadata and icons
- support facebook-specific metadata (
fb:app_id,fb:admins) in generateMetaData (#65713) - Always collect static icons for all segments (#68712)
- Fix favicon merging with customized icons (#67982)
- Warn metadataBase missing in standalone mode or non vercel deployment (#66296)
Parallel routes fixes
- fix missing stylesheets when parallel routes are present (#69507)
Draft mode and edge improvements
next/image fixes
- Allow external image urls with _next/image pathname to be rendered via Image component (#69586)
Server actions improvements
- optimize server actions (#66523)
- Apply optimization for unused actions (#69178)
- Improve SWC transform ID generation (#69183)
Other changes
- Ensure we match comment minify behavior between terser and swc (#68372)
- send initialCanonicalUrl in array format to prevent crawler confusion (#69509)
Create-next-app updates
Full Changelog:vercel/next.js@v14.2.7...v14.2.8
Huge thanks to everyone who contributed to this release:
@abhi12299,@delbaoliveira,@eps1lon,@ForsakenHarmony,@huozhi,@ijjk,@JoshuaKGoldberg,@leerob,@lubieowoce,@Netail,@ronanru,@samcx,@shuding,@sokra,@stylessh,@timfuhrmann,@wbinnssmith,@wyattjoh,@ypessoa,@ztanner
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Revert "chore: externalize undici for bundling" (#65727)
- Refactor internal routing headers to use request meta (#66987)
- fix(next): add cross origin in react dom preload (#67423)
- build: upgrade edge-runtime (#67565)
- GTM dataLayer parameter should take an object, not an array of strings (#66339)
- fix: properly patch lockfile against swc bindings (#66515)
- Add deployment id header for rsc payload if present (#67255)
- Update font data (#68639)
- fix i18n data pathname resolving (#68947)
- pages router: ensure x-middleware-cache is respected (#67734)
- Fix bad modRequest in flight entry manifest#68888
- Reject next image urls in image optimizer#68628
- Fix hmr assetPrefix escaping and reuse logic from other files#67983
Credits
Huge thanks to@kjugi,@huozhi,@ztanner,@SukkaW,@marlier,@Kikobeats,@syi0808,@ijjk, and@samcx for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Ensure fetch cache TTL is updated properly (#69164)
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- avoid merging global css in a way that leaks into other chunk groups (#67373)
- Fix server action edge redirect with middleware rewrite (#67148)
- fix(next): reject protocol-relative URLs in image optimization (#65752)
- fix(next-swc): correct path interop to filepath for wasm (#65633)
- Use addDependency to track metadata route file changes (#66714)
- Fix noindex is missing on static not-found page (#67135)
- perf: improve retrieving versionInfo on Turbo HMR (#67309)
- fix(next/image): handle invalid url (#67465)
- fix(next): initial prefetch cache not set properly with different search params (#65977)
- fix: Backport class properties fix (#67377)
- Upgrade acorn (#67592)
Misc
- Log stdio for pull-turbo-cache script (#66759)
- Ensure turbo is setup when building in docker (#66804)
Credits
Huge thanks to@devjiwonchoi,@ijjk,@emmerich,@huozhi,@kdy1,@kwonoj,@styfle, and@sokra for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- fix: ensure route handlers properly track dynamic access (#66446)
- fix NextRequest proxy in edge runtime (#66551)
- Fix next/dynamic with babel and src dir (#65177)
- Use vercel deployment url for metadataBase fallbacks (#65089)
- fix(next/image): detect react@19 for fetchPriority prop (#65235)
- Fix loading navigation with metadata and prefetch (#66447)
- prevent duplicate RSC fetch when action redirects (#66620)
- ensure router cache updates reference the latest cache values (#66681)
- Prevent append of trailing slash in cases where path ends with a file extension (#66636)
- Fix inconsistency with 404 getStaticProps cache-control (#66674)
- Use addDependency to track metadata route file changes (#66714)
- Add timeout/retry handling for fetch cache (#66652)
- fix: app-router prefetch crash when an invalid URL is passed to Link (#66755)
Credits
Huge thanks to@ztanner,@ijjk,@wbinnssmith,@huozhi, and@lubieowoce for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Fix: resolve mixed re-exports module as cjs (#64681)
- fix: mixing namespace import and named import client components (#64809)
- Fix mixed exports in server component with barrel optimization (#64894)
- Fix next/image usage in mdx(#64875)
- fix(fetch-cache): fix additional typo, add type & data validation (#64799)
- prevent erroneous route interception during lazy fetch (#64692)
- fix root page revalidation when redirecting in a server action (#64730)
- fix: remove traceparent from cachekey should not remove traceparent from original object (#64727)
- Clean-up fetch metrics tracking (#64746)
Credits
Huge thanks to@huozhi,@samcx,@ztanner,@Jeffrey-Zutt, and@ijjk for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- Fix Server Action error logs for unhandled POST requests (#64315)
- Improve rendering performance (#64408)
- Fix the method prop case in Server Actions transform (#64398)
- fix(next-lint): update option --report-unused-disable-directives to --report-unused-disable-directives-severity (#64405)
- tweak test for Azure (#64424)
- router restore should take priority over pending actions (#64449)
- Fix client boundary inheritance for barrel optimization (#64467)
- improve turborepo caching (#64493)
- feat: strip traceparent header from cachekey (#64499)
- Fix more Turbopack build tests
- Update lockfile for compatibility with turbo (#64360)
- Fix typo in dynamic-rendering.ts (#64365)
- Fix DynamicServerError not being thrown in fetch (#64511)
- fix(next): Metadata.openGraph values not resolving basic values when type is set (#63620)
- disable production chunking in dev (#64488)
- Fix cjs client components tree-shaking (#64558)
- fix refresh behavior for discarded actions (#64532)
- fix: filter out middleware requests in logging (#64549)
- Turbopack: Allow client components to be imported in app routes (#64520)
- Fix ASL bundling for dynamic css (#64451)
- add pathname normalizer for actions (#64592)
- fix incorrect refresh request when basePath is set (#64589)
- test: skip turbopack build test (#64356)
- hotfix(turbopack): Update with patch for postcss.config.js path resolution on Windows (#64677)
Credits
Huge thanks to@shuding,@coltonehrman,@ztanner,@huozhi,@sokra,@Jeffrey-Zutt,@timneutkens,@wbinnssmith,@wiesson,@ijjk,@devjiwonchoi, and@bgw for helping!
Compare Source
[!NOTE]
This release is backporting bug fixes. It doesnot include all pending features/changes on canary.
Core Changes
- use pathToFileUrl to make esm import()s work with absolute windows paths (#64386)@sokra
Credits
Huge thanks to@sokra for helping!
Compare Source
Learn more:https://nextjs.org/blog/next-14-2
Core Changes
- Update build worker warning to use debug:#60847
- fix: added@sentry/profiling-node to sep list to prevent build/bundle breakage:#60855
- Optimize build trace ignores:#60859
- Deprecation warning for config.analyticsId:#60677
- chore: indicate staleness more prominently in
next info output:#60376 - Telemetry: createComponentTree span:#60857
- chore: replace micromatch w/ picomatch:#60699
- Report HMR latency as trace spans for Turbopack:#60799
- Turbopack: always log HMR rebuild times:#60908
- Error overlay refactors:#60886
- Use precompiled source-map in overlay middleware:#60932
- Use more precompiled deps in react-dev-overlay:#60959
- Fix next phase for next build:#60969
- chore: update turbopack:#60980
- refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc:#59300
- disable static generation on interception routes:#61004
- Docs: Address community feedback:#60960
- avoid output of webpack stats:#61023
- Revert "refactor(analysis): rust based page-static-info, deprecate js parse interface in next-swc":#61021
- fix useSelectedLayoutSegment's support for parallel routes:#60912
- Dynamic APIs:#60645
- Enable next.js version checker in turbopack:#61034
- chore: Update
terser tov5.27.0:#61068 - Update
swc_core tov0.87.28:#60876 - update turbopack:#61015
- Implement client_root for edge in Turbopack:#61024
- fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes:#60776
- fix(image): warn when animated image is missing
unoptimized prop:#61045 - Fix version checker not displaying when version newer than npm:#61075
- Fix sitemap generateSitemaps support for string id:#61088
- ppr: ensure the router state tree is provided for interception routes:#61059
- Improve the Server Actions SWC transform:#61001
- Fix instrument bundling as client components:#60984
- fix(turbopack): use correct layout for 404 page:#61032
- fix: emotion import source should be enabled in SSR contexts:#61099
- chore: update turbopack:#61090
- fix(turbopack): custom page extensions for
_app:#60789 - Disable trace uploads with NEXT_TRACE_UPLOAD_DISABLE:#61101
- add
optimizeServerReact to config-shared:#61106 - Fix filesystempublicroutes test for Turbopack:#61132
- chore: upgrade webpack to 5.90.0:#61109
- Add
maxDuration to typescript plugin allowed exports:#59193 - Upgrade Turbopack:#61190
- build: remove sentry from the externals list:#61194
- exclude default routes from isPageStatic check:#61173
- Add stack trace to client rendering bailout error:#61200
- chore: refactor image optimization to separate external/internal urls:#61172
- parallel routes: support multi-slot layouts:#61115
- Refine revalidatePath warning message:#61220
- revert changes to process default routes at build:#61241
- Fix cookie merging in Server Action redirections:#61113
- Update
swc_core tov0.89.x:#61086 - Fix Server Reference being double registered:#61244
- Fix Server Action redirection with absolute internal URL:#60798
- Fix indentation in source code of dev overlay:#61216
- Update
swc_core tov0.89.4:#61285 - fix: Revert
preset-env mode ofstyled-jsx in webpack mode:#61306 - DX: add route context to the dynamic errors:#61332
- Telemetry: add time-to-first-byte signal:#61238
- Refine logging message of experiments:#61337
- fix(turbopack): don't parse
.ts files as.tsx:#61219 - Update turbopack:#61381
- Same as#61360:#61369
- Always respect NEXT_TRACE_UPLOAD_DISABLED:#61402
- parallel routes: fix catch-all slots being treated as optional catch-all:#61174
- fix hmr telemetry reporting:#61420
- chore: Update
swc_core tov0.89.6:#61426 - Update turbopack:#61433
- fix a perf problem in VersionedContentMap:#61442
- Fix next dynamic import named export from client components:#61378
- fix issues loading CSS in default slots:#61428
- avoid sending issues turbopack messages to bro
Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated byMend Renovate. View therepository job log.
Uh oh!
There was an error while loading.Please reload this page.
This PR contains the following updates:
13.5.4->14.2.30GitHub Vulnerability Alerts
CVE-2024-34351
Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the
Hostheader is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.Prerequisites
<14.1.1) is running in a self-hosted* manner./.* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in#62561 and fixed in Next.js
14.1.1.Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js
14.1.1.Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
Adam Kues - Assetnote
Shubham Shah - Assetnote
CVE-2024-46982
Impact
By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a
Cache-Control: s-maxage=1, stale-while-revalidateheader which some upstream CDNs may cache as well.To be potentially affected all of the following must apply:
pages/dashboard.tsxnotpages/blog/[slug].tsxThe below configurations are unaffected:
Patches
This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.
Workarounds
There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.
Credits
CVE-2024-47831
Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Not affected:
next.config.jsfile is configured withimages.unoptimizedset totrueorimages.loaderset to a non-default value.Patches
This issue was fully patched in Next.js
14.2.7. We recommend that users upgrade to at least this version.Workarounds
Ensure that the
next.config.jsfile has eitherimages.unoptimized,images.loaderorimages.loaderFileassigned.Credits
Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras
CVE-2024-51479
Impact
If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.
Patches
This issue was patched in Next.js
14.2.15and later.If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
We'd like to thanktyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.
CVE-2024-56332
Impact
A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.
Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.
Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.
This is the same issue as if the incoming HTTP request has an invalid
Content-Lengthheader or never closes. If the host has no other mitigations to those then this vulnerability is novel.This vulnerability affects only Next.js deployments using Server Actions.
Patches
This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
Thanks to the PackDraw team for responsibly disclosing this vulnerability.
CVE-2025-29927
Impact
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
Patches
15.2.314.2.25Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.
Workaround
If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the
x-middleware-subrequestheader from reaching your Next.js application.Credits
CVE-2025-48068
Summary
A low-severity vulnerability inNext.js has been fixed inversion 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while
npm run devis active.Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure
allowedDevOriginsin your next config after upgrading to a patched version.Learn more.Learn more:https://vercel.com/changelog/cve-2025-48068
Credit
Thanks tosapphi-red andRadman Siddiki for responsibly disclosing this issue.
Release Notes
vercel/next.js (next)
v14.2.30Compare Source
Core Changes
config.allowedDevOrigins(#80410) (Learn More)Credits
Huge thanks to@ijjk and@ztanner for helping!
v14.2.29Compare Source
Core Changes
Credits
Huge thanks to@ijjk for helping!
v14.2.28Compare Source
Core Changes
Credits
Huge thanks to@ztanner for helping!
v14.2.27Compare Source
Core Changes
Credits
Huge thanks to@ztanner for helping!
v14.2.26Compare Source
Core Changes
v14.2.25Compare Source
Core Changes
Credits
Huge thanks to@ijjk for helping!
v14.2.24Compare Source
Core Changes
Credits
Huge thanks to@ztanner for helping!
v14.2.23Compare Source
Core Changes
Credits
Huge thanks to@styfle,@ijjk and@lubieowoce for helping!
v14.2.22Compare Source
Core Changes
Credits
Huge thanks to@unstubbable,@ijjk, and@ztanner for helping!
v14.2.21Compare Source
Core Changes
14898b6to178c267:#74115Misc Changes
Credits
Huge thanks to@unstubbable,@ztanner, and@styfle for helping!
v14.2.20Compare Source
Core Changes
Credits
Huge thanks to@wyattjoh for helping!
v14.2.19Compare Source
Core Changes
Misc Changes
Credits
Huge thanks to@ztanner and@ijjk for helping!
v14.2.18Compare Source
Core Changes
Credits
Huge thanks to@huozhi and@ijjk for helping!
v14.2.17Compare Source
Core Changes
Credits
Huge thanks to@huozhi,@ztanner, and@ijjk for helping!
v14.2.16Compare Source
v14.2.15Compare Source
Core Changes
Credits
Huge thanks to@ztanner,@agadzik,@huozhi,@styfle,@icyJoseph and@wyattjoh for helping!
v14.2.14Compare Source
Core Changes
Credits
Huge thanks to@styfle,@ztanner,@ijjk,@huozhi and@wyattjoh for helping!
v14.2.13Compare Source
Core Changes
Credits
Huge thanks to@raeyoung-kim,@huozhi,@devjiwonchoi, and@ijjk for helping!
v14.2.12Compare Source
Core Changes
Credits
Huge thanks to@alvarlagerlof,@wyattjoh,@delbaoliveira, and@ijjk for helping!
v14.2.11Compare Source
Core Changes
Credits
Huge thanks to@huozhi,@devjiwonchoi, and@ijjk for helping!
v14.2.10Compare Source
Core Changes
Credits
Huge thanks to@huozhi and@ijjk for helping!
v14.2.9Compare Source
Core Changes
Credits
Huge thanks to@huozhi,@ztanner,@ijjk, and@lubieowoce for helping!
v14.2.8Compare Source
What's Changed
Support
esmExternalsin app directoryReading cookies set in middleware in components and actions
Metadata and icons
fb:app_id,fb:admins) in generateMetaData (#65713)Parallel routes fixes
Draft mode and edge improvements
next/imagefixesServer actions improvements
Other changes
Create-next-app updates
create-next-apptemplate CSS (#66043)create-next-apppublic/ assets from local folder→ remote URL (#66931)Full Changelog:vercel/next.js@v14.2.7...v14.2.8
Huge thanks to everyone who contributed to this release:
@abhi12299,@delbaoliveira,@eps1lon,@ForsakenHarmony,@huozhi,@ijjk,@JoshuaKGoldberg,@leerob,@lubieowoce,@Netail,@ronanru,@samcx,@shuding,@sokra,@stylessh,@timfuhrmann,@wbinnssmith,@wyattjoh,@ypessoa,@ztanner
v14.2.7Compare Source
Core Changes
Credits
Huge thanks to@kjugi,@huozhi,@ztanner,@SukkaW,@marlier,@Kikobeats,@syi0808,@ijjk, and@samcx for helping!
v14.2.6Compare Source
Core Changes
v14.2.5Compare Source
Core Changes
Misc
Credits
Huge thanks to@devjiwonchoi,@ijjk,@emmerich,@huozhi,@kdy1,@kwonoj,@styfle, and@sokra for helping!
v14.2.4Compare Source
Core Changes
Credits
Huge thanks to@ztanner,@ijjk,@wbinnssmith,@huozhi, and@lubieowoce for helping!
v14.2.3Compare Source
Core Changes
Credits
Huge thanks to@huozhi,@samcx,@ztanner,@Jeffrey-Zutt, and@ijjk for helping!
v14.2.2Compare Source
Core Changes
Credits
Huge thanks to@shuding,@coltonehrman,@ztanner,@huozhi,@sokra,@Jeffrey-Zutt,@timneutkens,@wbinnssmith,@wiesson,@ijjk,@devjiwonchoi, and@bgw for helping!
v14.2.1Compare Source
Core Changes
Credits
Huge thanks to@sokra for helping!
v14.2.0Compare Source
Learn more:https://nextjs.org/blog/next-14-2
Core Changes
next infooutput:#60376tersertov5.27.0:#61068swc_coretov0.87.28:#60876unoptimizedprop:#61045_app:#60789optimizeServerReactto config-shared:#61106maxDurationto typescript plugin allowed exports:#59193swc_coretov0.89.x:#61086swc_coretov0.89.4:#61285preset-envmode ofstyled-jsxin webpack mode:#61306.tsfiles as.tsx:#61219swc_coretov0.89.6:#61426Configuration
📅Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated byMend Renovate. View therepository job log.