Update dependency next to v15.5.18 [SECURITY]#295
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
This pull request (commit
|
renovate
Bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
d36e2e9 to
50a1e74
Compare
renovate
Bot
changed the title
|
This pull request (commit
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
15.5.15→15.5.18Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
CVE-2026-44574 / GHSA-492v-c6pp-mqqv
More information
Details
Impact
Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check.
Fix
We now only honor internal route-parameter normalization in trusted routing flows and ignore externally supplied parameter encodings that should never have been accepted from ordinary requests.
Workarounds
If you cannot upgrade immediately, enforce authorization in route or page logic instead of relying solely on middleware path matching.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
CVE-2026-45109 / GHSA-26hh-7cqf-hhc6
More information
Details
Impact
It was found that the fix addressing CVE-2026-44575 did not apply to
middleware.tswith Turbopack. Refer to CVE-2026-44575 for further details.References
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
CVE-2026-44575 / GHSA-267c-6grr-h53f
More information
Details
Impact
App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted
.rscand segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.Fix
We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL.
Workarounds
If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
CVE-2026-44579 / GHSA-mg66-mrh9-m8jx
More information
Details
Impact
Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service.
Fix
We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients.
Workarounds
If you cannot upgrade immediately, block requests that would be handled by Next.js if they contain the
Next-Resumeheader at the edge.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Next.js vulnerable to cache poisoning in React Server Component responses
CVE-2026-44576 / GHSA-wfc6-r584-vfw7
More information
Details
Impact
Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML.
Fix
We now validate and interpret
RSCrequest headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL.Workarounds
If you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors
Vary, or disable shared caching for affected App Router and RSC responses.Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vercel/next.js (next)
v15.5.18Compare Source
v15.5.16Compare Source
Configuration
📅 Schedule: (in timezone Asia/Seoul)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.