fix(deps): update dependency next [security]#8
Conversation
Deploying atl-chat with
|
| Latest commit: |
3ef8554
|
| Status: | 🚫 Build failed. |
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| react: ^18 | ||
| react-dom: ^18 |
There was a problem hiding this comment.
Bug: The pnpm-workspace.yaml updates next to version 15 but leaves react at version 18. Next.js 15's App Router requires React 19, creating an incompatibility.
Severity: CRITICAL
Suggested Fix
To resolve the incompatibility, update the react and react-dom versions in the pnpm-workspace.yaml catalog to ^19. This will align the dependencies with the requirements for using the App Router in Next.js 15.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: pnpm-workspace.yaml#L4-L5
Potential issue: The `pnpm-workspace.yaml` file was updated to use `next: 15.5.10`, but
the `react` dependency remains at `^18`. The `apps/web` package uses Next.js's App
Router, which, according to official documentation for Next.js 15, requires React 19 as
a minimum version. This mismatch will cause the application to fail at runtime when it
attempts to use App Router features that depend on React 19, preventing the application
from starting or building correctly.
Did we get this right? 👍 / 👎 to inform future reviews.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 3/5
- There is a concrete risk of build/peer dependency conflicts: Next.js 15 requires React 19+, but
pnpm-workspace.yamlstill pins React 18, which can break installs or builds. - Given the mismatch is clear and user-impacting (dependency resolution/build failures), this adds moderate merge risk until versions are aligned.
- Pay close attention to
pnpm-workspace.yaml- upgradereact/react-domto 19.x to match the Next.js bump.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="pnpm-workspace.yaml">
<violation number="1" location="pnpm-workspace.yaml:3">
P1: Next.js 15 requires React 19+, but the catalog still pins React 18. This version mismatch will produce peer dependency conflicts and can break builds. Upgrade `react` and `react-dom` to 19.x alongside the Next.js bump.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
pnpm-workspace.yaml
Outdated
| packages: [apps/*] | ||
| catalog: | ||
| next: 14.2.16 | ||
| next: 15.5.10 |
There was a problem hiding this comment.
P1: Next.js 15 requires React 19+, but the catalog still pins React 18. This version mismatch will produce peer dependency conflicts and can break builds. Upgrade react and react-dom to 19.x alongside the Next.js bump.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At pnpm-workspace.yaml, line 3:
<comment>Next.js 15 requires React 19+, but the catalog still pins React 18. This version mismatch will produce peer dependency conflicts and can break builds. Upgrade `react` and `react-dom` to 19.x alongside the Next.js bump.</comment>
<file context>
@@ -1,7 +1,6 @@
packages: [apps/*]
catalog:
- next: 14.2.16
+ next: 15.5.10
react: ^18
react-dom: ^18
</file context>
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
7c52676 to
38de978
Compare
pnpm-workspace.yaml
Outdated
| packages: [apps/*] | ||
| catalog: | ||
| next: 14.2.16 | ||
| next: 15.5.10 |
There was a problem hiding this comment.
Bug: The upgrade to next@15.5.10 violates the peer dependency constraint of @cloudflare/next-on-pages, which only supports next up to version 15.5.2.
Severity: CRITICAL
Suggested Fix
To resolve this, either downgrade next to a version compatible with @cloudflare/next-on-pages (e.g., <=15.5.2), or upgrade @cloudflare/next-on-pages to a newer version that officially supports next@15.5.10. Check the @cloudflare/next-on-pages release notes for compatibility information.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: pnpm-workspace.yaml#L3
Potential issue: The pull request upgrades `next` to version `15.5.10`. However, the
project uses `@cloudflare/next-on-pages`, which has a declared peer dependency on `next`
within the range `'>=14.3.0 && <=15.5.2'`. The new version `15.5.10` is outside this
supported range. This incompatibility will likely lead to build failures or runtime
errors during deployment to Cloudflare Pages, as the adapter may rely on Next.js
internal APIs that have changed between versions `15.5.2` and `15.5.10`.
38de978 to
dd94ac8
Compare
| datasource | package | from | to | | ---------- | ------- | ------- | ------- | | npm | next | 14.2.16 | 15.5.14 | | npm | next | 16.1.6 | 16.1.7 |
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
dd94ac8 to
3ef8554
Compare
renovate
bot
changed the title
This PR contains the following updates:
14.2.16→15.5.1416.1.6→16.1.7Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Next.js Allows a Denial of Service (DoS) with Server Actions
CVE-2024-56332 / GHSA-7m27-7ghc-44w9
More information
Details
Impact
A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.
Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.
Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.
This is the same issue as if the incoming HTTP request has an invalid
Content-Lengthheader or never closes. If the host has no other mitigations to those then this vulnerability is novel.This vulnerability affects only Next.js deployments using Server Actions.
Patches
This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
Thanks to the PackDraw team for responsibly disclosing this vulnerability.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js Race Condition to Cache Poisoning
CVE-2025-32421 / GHSA-qpjv-v59x-3qc4
More information
Details
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve
pagePropsdata instead of standard HTML.Learn more here
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Authorization Bypass in Next.js Middleware
CVE-2025-29927 / GHSA-f82v-jwr5-mffw
More information
Details
Impact
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
Patches
15.2.314.2.25Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.
Workaround
If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the
x-middleware-subrequestheader from reaching your Next.js application.Credits
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
CVE-2025-57752 / GHSA-g5qg-72qw-gw5v
More information
Details
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as
CookieorAuthorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
More details at Vercel Changelog
Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js Content Injection Vulnerability for Image Optimization
CVE-2025-55173 / GHSA-xv57-4mr9-wg8v
More information
Details
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on
images.domainsorimages.remotePatternsare encouraged to upgrade and verify that external image sources are strictly validated.More details at Vercel Changelog
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js Improper Middleware Redirect Handling Leads to SSRF
CVE-2025-57822 / GHSA-4342-x723-ch2f
More information
Details
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into
NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the
next()function.More details at Vercel Changelog
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next Vulnerable to Denial of Service with Server Components
GHSA-mwv6-3258-q52c
More information
Details
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
GHSA-5j59-xgg2-r9c4
More information
Details
It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
GHSA-h25m-26qc-wcjf
More information
Details
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
CVE-2025-59471 / GHSA-9g9p-9gw9-jx7f
More information
Details
A DoS vulnerability exists in self-hosted Next.js applications that have
remotePatternsconfigured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires thatremotePatternsis configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js: HTTP request smuggling in rewrites
CVE-2026-29057 / GHSA-ggv3-7p47-pfv8
More information
Details
Summary
When Next.js rewrites proxy traffic to an external backend, a crafted
DELETE/OPTIONSrequest usingTransfer-Encoding: chunkedcould trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.Impact
An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.
Patches
The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so
content-length: 0is added only when bothcontent-lengthandtransfer-encodingare absent, andtransfer-encodingis no longer removed in that code path.Workarounds
If upgrade is not immediately possible:
DELETE/OPTIONSrequests on rewritten routes at your edge/proxy.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js: Unbounded next/image disk cache growth can exhaust storage
CVE-2026-27980 / GHSA-3x4c-7xq6-9pq8
More information
Details
Summary
The default Next.js image optimization disk cache (
/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.Impact
An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.
Patches
Fixed by adding an LRU-backed disk cache with
images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. SettingmaximumDiskCacheSize: 0disables disk caching.Workarounds
If upgrade is not immediately possible:
.next/cache/images.images.localPatterns,images.remotePatterns, andimages.qualities)Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js: Unbounded postponed resume buffering can lead to DoS
CVE-2026-27979 / GHSA-h27x-g6w4-24gq
More information
Details
Summary
A request containing the
next-resume: 1header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcingmaxPostponedStateSizein certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.Impact
In applications using the App Router with Partial Prerendering capability enabled (via
experimental.pprorcacheComponents), an attacker could send oversizednext-resumePOST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.Patches
Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded.
Workarounds
If upgrade is not immediately possible:
next-resumeheader, as this is never valid to be sent from an untrusted client.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js: null origin can bypass dev HMR websocket CSRF checks
CVE-2026-27977 / GHSA-jcc7-9wpm-mj36
More information
Details
Summary
In
next dev, cross-site protection for internal websocket endpoints could treatOrigin: nullas a bypass case even ifallowedDevOriginsis configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly.Impact
If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only.
Apps without a configured
allowedDevOriginsstill allow connections from any origin.Patches
Fixed by validating
Origin: nullthrough the same cross-site origin-allowance checks used for other origins.Workarounds
If upgrade is not immediately possible:
next devto untrusted networks./_next/webpack-hmrwhenOriginisnullat your proxy.Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js: null origin can bypass Server Actions CSRF checks
CVE-2026-27978 / GHSA-mq59-m269-xvcx
More information
Details
Summary
origin: nullwas treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).
Patches
Fixed by treating
'null'as an explicit origin value and enforcing host/origin checks unless'null'is explicitly allowlisted inexperimental.serverActions.allowedOrigins.Workarounds
If upgrade is not immediately possible:
SameSite=Stricton sensitive auth cookies.'null'inserverActions.allowedOriginsunless intentionally required and additionally protected.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vercel/next.js (next)
v15.5.14Compare Source
v15.5.13Compare Source
v15.5.12Compare Source
This is a re-release of v15.5.11 applying the turbopack changes.
v15.5.11Compare Source
Core Changes
Credits
Huge thanks to @timneutkens, @mischnic, @ztanner, and @wyattjoh for helping!
v15.5.10Compare Source
Please refer the following changelogs for more information about this security release:
v15.5.9Compare Source
v15.5.8Compare Source
v15.5.7Compare Source
v15.5.6Compare Source
Core Changes
Credits
Huge thanks to @mischnic for helping!
v15.5.5Compare Source
Core Changes
experimental.middlewareClientMaxBodySizebody cloning limit (#84722)Misc Changes
Credits
Huge thanks to @devjiwonchoi, @ztanner, and @icyJoseph for helping!
v15.5.4Compare Source
Core Changes
Misc Changes
Credits
Huge thanks to @yiminghe, @huozhi, @devjiwonchoi, @mischnic, @lukesandberg, @ztanner, @icyJoseph, @leerob, @fufuShih, @dwrth, @aymericzip, @obendev, @molebox, @OoMNoO, @pontasan, @styfle, @HondaYt, @ryuapp, @lpalmes, and @ijjk for helping!
v15.5.3Compare Source
Core Changes
Credits
Huge thanks to @bgub for helping!
v15.5.2Compare Source
Core Changes
Credits
Huge thanks to @bgub and @ztanner for helping!
v15.5.1Compare Source
Core Changes
Credits
Huge thanks to @bgub, @mischnic, and @ztanner for helping!
v15.5.0Compare Source
Core Changes
@typescript-eslint/switch-exhaustiveness-checkrule: #81583React.unstable_postpone(): #81652images.qualitiesis undefined: #81690pprordynamicIOenabled: #81668__turbopack_load_by_url__: #8166397cdd5d3-20250710to2f0e7e57-20250715: #81678renderToStringfunction: #817072f0e7e57-20250715tod85ec5f5-20250716: #81708next-serverVM: #81664headers/cookies/draftModein'use cache': #81716d85ec5f5-20250716todffacc7b-20250717: #81767getExpectedRequestStorefunction: #81791.next/cache: #81807dffacc7b-20250717toe9638c33-20250721: #81899'use cache: private': #81816browserslist: #81851run-turbopack-compilertrace span: #81917e9638c33-20250721to7513996f-20250722: #81940Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.