You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.
For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.
Patches
The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.
Workarounds
There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.
Prerequisites
Next.js (<14.1.1) is running in a self-hosted* manner.
The Next.js application makes use of Server Actions.
The Server Action performs a redirect to a relative path which starts with a /.
* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.
Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.
Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Not affected:
The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
The Next.js application is hosted on Vercel.
Patches
This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.
Workarounds
Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.
renovatebot
changed the title
[RENOVATE-BOT] Update dependency next to v14 [SECURITY]
[RENOVATE-BOT] Update dependency next to v14 [SECURITY] - autoclosed
Dec 8, 2024
renovatebot
changed the title
[RENOVATE-BOT] Update dependency next to v14 [SECURITY] - autoclosed
[RENOVATE-BOT] Update dependency next to v14 [SECURITY]
Dec 8, 2024
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
13.4.8
->14.2.15
GitHub Vulnerability Alerts
CVE-2023-46298
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.
CVE-2024-34350
Impact
Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.
For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.
Patches
The vulnerability is resolved in Next.js
13.5.1
and newer. This includes Next.js14.x
.Workarounds
There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.
References
https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning
CVE-2024-34351
Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the
Host
header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.Prerequisites
<14.1.1
) is running in a self-hosted* manner./
.* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in #62561 and fixed in Next.js
14.1.1
.Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js
14.1.1
.Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
Adam Kues - Assetnote
Shubham Shah - Assetnote
CVE-2024-47831
Impact
The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.
Not affected:
next.config.js
file is configured withimages.unoptimized
set totrue
orimages.loader
set to a non-default value.Patches
This issue was fully patched in Next.js
14.2.7
. We recommend that users upgrade to at least this version.Workarounds
Ensure that the
next.config.js
file has eitherimages.unoptimized
,images.loader
orimages.loaderFile
assigned.Credits
Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras
CVE-2024-39693
Impact
A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server.
This vulnerability can affect all Next.js deployments on the affected versions.
Patches
This vulnerability was resolved in Next.js 13.5 and later. We recommend that users upgrade to a safe version.
Workarounds
There are no official workarounds for this vulnerability.
Credit
CVE-2024-51479
Impact
If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.
Patches
This issue was patched in Next.js
14.2.15
and later.If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.
Release Notes
vercel/next.js (next)
v14.2.15
Compare Source
Core Changes
Credits
Huge thanks to @ztanner, @agadzik, @huozhi, @styfle, @icyJoseph and @wyattjoh for helping!
v14.2.14
Compare Source
Core Changes
Credits
Huge thanks to @styfle, @ztanner, @ijjk, @huozhi and @wyattjoh for helping!
v14.2.13
Compare Source
v14.2.12
Compare Source
v14.2.11
Compare Source
v14.2.10
Compare Source
v14.2.9
Compare Source
v14.2.8
Compare Source
v14.2.7
Compare Source
v14.2.6
Compare Source
v14.2.5
Compare Source
v14.2.4
Compare Source
Core Changes
Credits
Huge thanks to @ztanner, @ijjk, @wbinnssmith, @huozhi, and @lubieowoce for helping!
v14.2.3
Compare Source
v14.2.2
Compare Source
v14.2.1
Compare Source
v14.2.0
Compare Source
v14.1.4
Compare Source
v14.1.3
Compare Source
v14.1.2
Compare Source
v14.1.1
Compare Source
Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary
Core Changes
Credits
Huge thanks to @huozhi, @shuding, @Ethan-Arrowood, @styfle, @ijjk, @ztanner, @balazsorban44, @kdy1, and @williamli for helping!
v14.1.0
Compare Source
v14.0.4
Compare Source
v14.0.3
Compare Source
v14.0.2
Compare Source
v14.0.1
Compare Source
Core Changes
8c8ee9e
to0c63487
and types: #57772Documentation Changes
Example Changes
with-youtube-embed
example: #57367with-google-maps-embed
example: #57365Misc Changes
create-next-app
: #57262Credits
Huge thanks to @dijonmusters, @sokra, @philwolstenholme, @IgorKowalczyk, @housseindjirdeh, @Zoe-Bot, @HanCiHu, @JackHowa, @goncy, @hirotomoyamada, @pveyes, @yeskunall, @vinaykulk621, @ChendayUP, @leerob, @dvoytenko, @mknichel, @ijjk, @hmaesta, @ajz003, @its-kunal, @joelhooks, @blurrah, @tariknh, @Vinlock, @Nayeem-XTREME, @aziyatali, @aspehler, @huozhi, @ztanner, @ForsakenHarmony, @moka-ayumu, and @gnoff for helping!
v14.0.0
Compare Source
v13.5.7
Compare Source
v13.5.6
Compare Source
Core Changes
Credits
Huge thanks to @ijjk @huozhi @gnoff for helping!
v13.5.5
Compare Source
v13.5.4
Compare Source
Core Changes
beta.nextjs.org
Links: #55924config.experimental.workerThreads
: #55257swc_core
tov0.83.26
: #55780swc_core
tov0.83.26
": #56077permanentRedirect
return 308 in route handlers: #56065boolean
instead offalse
for experimental logging config: #56110postcss
: #56225Documentation Changes
not-found
to file conventions page: #55944extension
option tocreateMDX()
: #55967.bind
method: #56164Response.json
overNextResponse.json
: #56173Example Changes
with-jest
: #56152with-jest
types: #56193with-stripe-typescript
example: #56274Misc Changes
swc_core
tov0.83.28
: #56134Credits
Huge thanks to @balazsorban44, @sdkdeepa, @aayman997, @mayank1513, @timneutkens, @2XG-DEV, @eliot-akira, @hi-matthew, @riobits, @wbinnssmith, @ijjk, @sokra, @dvoytenko, @rishabhpoddar, @manovotny, @A7med3bdulBaset, @huozhi, @jridgewell, @joulev, @SukkaW, @kdy1, @feedthejim, @Fredkiss3, @styfle, @MildTomato, @ForsakenHarmony, @walfly, @bzhn, @shuding, @boylett, @Loki899899, @devrsi0n, @ImBIOS, @vinaykulk621, @ztanner, @sdaigo, @hamirmahal, @blurrah, @omarmciver, and @alexBaizeau for helping!
v13.5.3
Compare Source
v13.5.2
Compare Source
Core Changes
d6dcad6
to2807d78
: #55590@vercel/og
andsatori
: #55654named_import
transform: #55664Documentation Changes
create-next-app
templates: Changebun run dev
commands tobun dev
: #55603Example Changes
Misc Changes
Credits
Huge thanks to @padmaia, @mayank1513, @jakeboone02, @balazsorban44, @kwonoj, @huozhi, @Yovach, @ztanner, @wyattjoh, @GabenGar, @timneutkens, and @shuding for helping!
v13.5.1
Compare Source
Core Changes
output: export
in app router: #54202ua-parser-js
: #54404ssr: false
in App Router: #54411named_import_transform
: #54530optimize_barrel
SWC transform and newoptimizePackageImports
config: #54572permanentRedirect
function in App Router: #54047preload
is not exported fromreact-dom
: #54688@visx/visx
to the import optimization list: #54778Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Taipei, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.