Skip to content

Update dependency next to v15.5.13 [SECURITY]#281

Merged
renovate[bot] merged 1 commit into
developfrom
renovate/npm-next-vulnerability
Mar 22, 2026
Merged

Update dependency next to v15.5.13 [SECURITY]#281
renovate[bot] merged 1 commit into
developfrom
renovate/npm-next-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 22, 2026

This PR contains the following updates:

Package Change Age Confidence
next (source) 15.5.1215.5.13 age confidence

GitHub Vulnerability Alerts

CVE-2026-29057

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

Patches

The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path.

Workarounds

If upgrade is not immediately possible:

  • Block chunked DELETE/OPTIONS requests on rewritten routes at your edge/proxy.
  • Enforce authentication/authorization on backend routes per our security guidance.

Release Notes

vercel/next.js (next)

v15.5.13

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Seoul, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from seueooo as a code owner March 22, 2026 01:41
@vercel
Copy link
Copy Markdown

vercel Bot commented Mar 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
time-capsule Ready Ready Preview, Comment Mar 22, 2026 0:58am

@renovate renovate Bot requested a review from seung365 as a code owner March 22, 2026 01:41
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 22, 2026

This pull request (commit ba3ff60) has been deployed to Vercel ▲ - View GitHub Actions Workflow Logs

Name Link
🌐 Unique https://time-capsule-f4vm39d6c-hs-projects-b4a69d5f.vercel.app
🔍 Inspect https://vercel.com/hs-projects-b4a69d5f/time-capsule/HMebpxPUSB8cW4G8zRrmhFkNeagz

@renovate renovate Bot merged commit 156bfba into develop Mar 22, 2026
6 checks passed
@renovate renovate Bot deleted the renovate/npm-next-vulnerability branch March 22, 2026 04:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seueooo seueooo Awaiting requested review from seueooo seueooo is a code owner

@seung365 seung365 Awaiting requested review from seung365 seung365 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants