fix(deps): update dependency next to v15.5.15 [security]#1583
Open
renovate[bot] wants to merge 1 commit intosepoliafrom
Open
fix(deps): update dependency next to v15.5.15 [security]#1583renovate[bot] wants to merge 1 commit intosepoliafrom
renovate[bot] wants to merge 1 commit intosepoliafrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
d74792a to
f65675c
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
f65675c to
19e1025
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
19e1025 to
48a592e
Compare
renovate
bot
force-pushed
the
renovate/npm-next-vulnerability
branch
from
48a592e to
a78f483
Compare
renovate
bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
15.5.10→15.5.15GitHub Vulnerability Alerts
CVE-2026-29057
Summary
When Next.js rewrites proxy traffic to an external backend, a crafted
DELETE/OPTIONSrequest usingTransfer-Encoding: chunkedcould trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.Impact
An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.
Patches
The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so
content-length: 0is added only when bothcontent-lengthandtransfer-encodingare absent, andtransfer-encodingis no longer removed in that code path.Workarounds
If upgrade is not immediately possible:
DELETE/OPTIONSrequests on rewritten routes at your edge/proxy.CVE-2026-27980
Summary
The default Next.js image optimization disk cache (
/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.Impact
An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.
Patches
Fixed by adding an LRU-backed disk cache with
images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. SettingmaximumDiskCacheSize: 0disables disk caching.Workarounds
If upgrade is not immediately possible:
.next/cache/images.images.localPatterns,images.remotePatterns, andimages.qualities)GHSA-q4gf-8mx6-v5v3
A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this changelog.
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.
Release Notes
vercel/next.js (next)
v15.5.15Compare Source
Please refer the following changelogs for more information about this security release:
https://vercel.com/changelog/summary-of-cve-2026-23869
v15.5.14Compare Source
v15.5.13Compare Source
v15.5.12Compare Source
This is a re-release of v15.5.11 applying the turbopack changes.
v15.5.11Compare Source
Core Changes
Credits
Huge thanks to @timneutkens, @mischnic, @ztanner, and @wyattjoh for helping!
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.