Commit 1572be1
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
fix(deps): update dependency next to v16.1.7 [security] (#1196)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [next](https://nextjs.org)
([source](https://redirect.github.com/vercel/next.js)) | [`16.1.5` →
`16.1.7`](https://renovatebot.com/diffs/npm/next/16.1.5/16.1.7) |
|
|
### GitHub Vulnerability Alerts
####
[CVE-2026-27978](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx)
## Summary
`origin: null` was treated as a "missing" origin during Server Action
CSRF validation. As a result, requests from opaque contexts (such as
sandboxed iframes) could bypass origin verification instead of being
validated as cross-origin requests.
## Impact
An attacker could induce a victim browser to submit Server Actions from
a sandboxed context, potentially executing state-changing actions with
victim credentials (CSRF).
## Patches
Fixed by treating `'null'` as an explicit origin value and enforcing
host/origin checks unless `'null'` is explicitly allowlisted in
`experimental.serverActions.allowedOrigins`.
## Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer `SameSite=Strict` on sensitive auth cookies.
- Do not allow `'null'` in `serverActions.allowedOrigins` unless
intentionally required and additionally protected.
####
[CVE-2026-27977](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36)
## Summary
In `next dev`, cross-site protection for internal websocket endpoints
could treat `Origin: null` as a bypass case even if
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
is configured, allowing privacy-sensitive/opaque contexts (for example
sandboxed documents) to connect unexpectedly.
## Impact
If a dev server is reachable from attacker-controlled content, an
attacker may be able to connect to the HMR websocket channel and
interact with dev websocket traffic. This affects development mode only.
Apps without a configured
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
still allow connections from any origin.
## Patches
Fixed by validating `Origin: null` through the same cross-site
origin-allowance checks used for other origins.
## Workarounds
If upgrade is not immediately possible:
- Do not expose `next dev` to untrusted networks.
- Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is
`null` at your proxy.
####
[CVE-2026-27979](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq)
## Summary
A request containing the `next-resume: 1` header (corresponding with a
PPR resume request) would buffer request bodies without consistently
enforcing `maxPostponedStateSize` in certain setups. The previous
mitigation protected minimal-mode deployments, but equivalent
non-minimal deployments remained vulnerable to the same unbounded
postponed resume-body buffering behavior.
## Impact
In applications using the App Router with Partial Prerendering
capability enabled (via `experimental.ppr` or `cacheComponents`), an
attacker could send oversized `next-resume` POST payloads that were
buffered without consistent size enforcement in non-minimal deployments,
causing excessive memory usage and potential denial of service.
## Patches
Fixed by enforcing size limits across all postponed-body buffering paths
and erroring when limits are exceeded.
## Workarounds
If upgrade is not immediately possible:
- Block requests containing the `next-resume` header, as this is never
valid to be sent from an untrusted client.
####
[CVE-2026-29057](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8)
## Summary
When Next.js rewrites proxy traffic to an external backend, a crafted
`DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could
trigger request boundary disagreement between the proxy and backend.
This could allow request smuggling through rewritten routes.
## Impact
An attacker could smuggle a second request to unintended backend routes
(for example, internal/admin endpoints), bypassing assumptions that only
the configured rewrite destination/path is reachable. This does not
impact applications hosted on providers that handle rewrites at the CDN
level, such as Vercel.
## Patches
The vulnerability originated in an upstream library vendored by Next.js.
It is fixed by updating that dependency’s behavior so `content-length:
0` is added only when both `content-length` and `transfer-encoding` are
absent, and `transfer-encoding` is no longer removed in that code path.
## Workarounds
If upgrade is not immediately possible:
- Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your
edge/proxy.
- Enforce authentication/authorization on backend routes per our
[security guidance](https://nextjs.org/docs/app/guides/data-security).
####
[CVE-2026-27980](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8)
## Summary
The default Next.js image optimization disk cache (`/_next/image`) did
not have a configurable upper bound, allowing unbounded cache growth.
## Impact
An attacker could generate many unique image-optimization variants and
exhaust disk space, causing denial of service.
## Patches
Fixed by adding an LRU-backed disk cache with
`images.maximumDiskCacheSize`, including eviction of least-recently-used
entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0`
disables disk caching.
## Workarounds
If upgrade is not immediately possible:
- Periodically clean `.next/cache/images`.
- Reduce variant cardinality (e.g., tighten values for
`images.localPatterns`, `images.remotePatterns`, and `images.qualities`)
---
### Next.js: Unbounded next/image disk cache growth can exhaust storage
[CVE-2026-27980](https://nvd.nist.gov/vuln/detail/CVE-2026-27980) /
[GHSA-3x4c-7xq6-9pq8](https://redirect.github.com/advisories/GHSA-3x4c-7xq6-9pq8)
<details>
<summary>More information</summary>
#### Details
##### Summary
The default Next.js image optimization disk cache (`/_next/image`) did
not have a configurable upper bound, allowing unbounded cache growth.
##### Impact
An attacker could generate many unique image-optimization variants and
exhaust disk space, causing denial of service.
##### Patches
Fixed by adding an LRU-backed disk cache with
`images.maximumDiskCacheSize`, including eviction of least-recently-used
entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0`
disables disk caching.
##### Workarounds
If upgrade is not immediately possible:
- Periodically clean `.next/cache/images`.
- Reduce variant cardinality (e.g., tighten values for
`images.localPatterns`, `images.remotePatterns`, and `images.qualities`)
#### Severity
- CVSS Score: 6.9 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8)
-
[https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd](https://redirect.github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd)
-
[https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js)
-
[https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-3x4c-7xq6-9pq8) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Next.js: HTTP request smuggling in rewrites
[CVE-2026-29057](https://nvd.nist.gov/vuln/detail/CVE-2026-29057) /
[GHSA-ggv3-7p47-pfv8](https://redirect.github.com/advisories/GHSA-ggv3-7p47-pfv8)
<details>
<summary>More information</summary>
#### Details
##### Summary
When Next.js rewrites proxy traffic to an external backend, a crafted
`DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could
trigger request boundary disagreement between the proxy and backend.
This could allow request smuggling through rewritten routes.
##### Impact
An attacker could smuggle a second request to unintended backend routes
(for example, internal/admin endpoints), bypassing assumptions that only
the configured rewrite destination/path is reachable. This does not
impact applications hosted on providers that handle rewrites at the CDN
level, such as Vercel.
##### Patches
The vulnerability originated in an upstream library vendored by Next.js.
It is fixed by updating that dependency’s behavior so `content-length:
0` is added only when both `content-length` and `transfer-encoding` are
absent, and `transfer-encoding` is no longer removed in that code path.
##### Workarounds
If upgrade is not immediately possible:
- Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your
edge/proxy.
- Enforce authentication/authorization on backend routes per our
[security guidance](https://nextjs.org/docs/app/guides/data-security).
#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8)
-
[https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6](https://redirect.github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6)
-
[https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js)
-
[https://github.com/vercel/next.js/releases/tag/v15.5.13](https://redirect.github.com/vercel/next.js/releases/tag/v15.5.13)
-
[https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-ggv3-7p47-pfv8) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Next.js: Unbounded postponed resume buffering can lead to DoS
[CVE-2026-27979](https://nvd.nist.gov/vuln/detail/CVE-2026-27979) /
[GHSA-h27x-g6w4-24gq](https://redirect.github.com/advisories/GHSA-h27x-g6w4-24gq)
<details>
<summary>More information</summary>
#### Details
##### Summary
A request containing the `next-resume: 1` header (corresponding with a
PPR resume request) would buffer request bodies without consistently
enforcing `maxPostponedStateSize` in certain setups. The previous
mitigation protected minimal-mode deployments, but equivalent
non-minimal deployments remained vulnerable to the same unbounded
postponed resume-body buffering behavior.
##### Impact
In applications using the App Router with Partial Prerendering
capability enabled (via `experimental.ppr` or `cacheComponents`), an
attacker could send oversized `next-resume` POST payloads that were
buffered without consistent size enforcement in non-minimal deployments,
causing excessive memory usage and potential denial of service.
##### Patches
Fixed by enforcing size limits across all postponed-body buffering paths
and erroring when limits are exceeded.
##### Workarounds
If upgrade is not immediately possible:
- Block requests containing the `next-resume` header, as this is never
valid to be sent from an untrusted client.
#### Severity
- CVSS Score: 6.9 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq)
-
[https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1](https://redirect.github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1)
-
[https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js)
-
[https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-h27x-g6w4-24gq) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Next.js: null origin can bypass dev HMR websocket CSRF checks
[CVE-2026-27977](https://nvd.nist.gov/vuln/detail/CVE-2026-27977) /
[GHSA-jcc7-9wpm-mj36](https://redirect.github.com/advisories/GHSA-jcc7-9wpm-mj36)
<details>
<summary>More information</summary>
#### Details
##### Summary
In `next dev`, cross-site protection for internal websocket endpoints
could treat `Origin: null` as a bypass case even if
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
is configured, allowing privacy-sensitive/opaque contexts (for example
sandboxed documents) to connect unexpectedly.
##### Impact
If a dev server is reachable from attacker-controlled content, an
attacker may be able to connect to the HMR websocket channel and
interact with dev websocket traffic. This affects development mode only.
Apps without a configured
[`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins)
still allow connections from any origin.
##### Patches
Fixed by validating `Origin: null` through the same cross-site
origin-allowance checks used for other origins.
##### Workarounds
If upgrade is not immediately possible:
- Do not expose `next dev` to untrusted networks.
- Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is
`null` at your proxy.
#### Severity
- CVSS Score: 2.3 / 10 (Low)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36)
-
[https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a](https://redirect.github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a)
-
[https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js)
-
[https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-jcc7-9wpm-mj36) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Next.js: null origin can bypass Server Actions CSRF checks
[CVE-2026-27978](https://nvd.nist.gov/vuln/detail/CVE-2026-27978) /
[GHSA-mq59-m269-xvcx](https://redirect.github.com/advisories/GHSA-mq59-m269-xvcx)
<details>
<summary>More information</summary>
#### Details
##### Summary
`origin: null` was treated as a "missing" origin during Server Action
CSRF validation. As a result, requests from opaque contexts (such as
sandboxed iframes) could bypass origin verification instead of being
validated as cross-origin requests.
##### Impact
An attacker could induce a victim browser to submit Server Actions from
a sandboxed context, potentially executing state-changing actions with
victim credentials (CSRF).
##### Patches
Fixed by treating `'null'` as an explicit origin value and enforcing
host/origin checks unless `'null'` is explicitly allowlisted in
`experimental.serverActions.allowedOrigins`.
##### Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer `SameSite=Strict` on sensitive auth cookies.
- Do not allow `'null'` in `serverActions.allowedOrigins` unless
intentionally required and additionally protected.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx)
-
[https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8](https://redirect.github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8)
-
[https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js)
-
[https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7)
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-mq59-m269-xvcx) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Release Notes
<details>
<summary>vercel/next.js (next)</summary>
###
[`v16.1.7`](https://redirect.github.com/vercel/next.js/compare/v16.1.6...v16.1.7)
[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v16.1.6...v16.1.7)
###
[`v16.1.6`](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.6)
[Compare
Source](https://redirect.github.com/vercel/next.js/compare/v16.1.5...v16.1.6)
> \[!NOTE]
> This release is backporting bug fixes. It does **not** include all
pending features/changes on canary.
##### Core Changes
- Upgrade to swc 54
([#​88207](https://redirect.github.com/vercel/next.js/issues/88207))
- implement LRU cache with invocation ID scoping for minimal mode
response cache
([#​88509](https://redirect.github.com/vercel/next.js/issues/88509))
- tweak LRU sentinel key
([#​89123](https://redirect.github.com/vercel/next.js/issues/89123))
##### Credits
Huge thanks to [@​mischnic](https://redirect.github.com/mischnic),
[@​wyattjoh](https://redirect.github.com/wyattjoh), and
[@​ztanner](https://redirect.github.com/ztanner) for helping!
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/launchdarkly/js-core).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent f5f753c commit 1572be1
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
18 | | - | |
| 18 | + | |
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
| |||
0 commit comments