chore(deps): update dependency next to v15 [security]#8
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
chore(deps): update dependency next to v15 [security]#8renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
| datasource | package | from | to | | ---------- | ------- | ------- | ------- | | npm | next | 14.2.16 | 15.5.10 |
Deploying atl-chat with
|
| Latest commit: |
7c52676
|
| Status: | 🚫 Build failed. |
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Comment on lines
4
to
5
| react: ^18 | ||
| react-dom: ^18 |
There was a problem hiding this comment.
Bug: The pnpm-workspace.yaml updates next to version 15 but leaves react at version 18. Next.js 15's App Router requires React 19, creating an incompatibility.
Severity: CRITICAL
Suggested Fix
To resolve the incompatibility, update the react and react-dom versions in the pnpm-workspace.yaml catalog to ^19. This will align the dependencies with the requirements for using the App Router in Next.js 15.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: pnpm-workspace.yaml#L4-L5
Potential issue: The `pnpm-workspace.yaml` file was updated to use `next: 15.5.10`, but
the `react` dependency remains at `^18`. The `apps/web` package uses Next.js's App
Router, which, according to official documentation for Next.js 15, requires React 19 as
a minimum version. This mismatch will cause the application to fail at runtime when it
attempts to use App Router features that depend on React 19, preventing the application
from starting or building correctly.
Did we get this right? 👍 / 👎 to inform future reviews.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 3/5
- There is a concrete risk of build/peer dependency conflicts: Next.js 15 requires React 19+, but
pnpm-workspace.yamlstill pins React 18, which can break installs or builds. - Given the mismatch is clear and user-impacting (dependency resolution/build failures), this adds moderate merge risk until versions are aligned.
- Pay close attention to
pnpm-workspace.yaml- upgradereact/react-domto 19.x to match the Next.js bump.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="pnpm-workspace.yaml">
<violation number="1" location="pnpm-workspace.yaml:3">
P1: Next.js 15 requires React 19+, but the catalog still pins React 18. This version mismatch will produce peer dependency conflicts and can break builds. Upgrade `react` and `react-dom` to 19.x alongside the Next.js bump.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| packages: [apps/*] | ||
| catalog: | ||
| next: 14.2.16 | ||
| next: 15.5.10 |
There was a problem hiding this comment.
P1: Next.js 15 requires React 19+, but the catalog still pins React 18. This version mismatch will produce peer dependency conflicts and can break builds. Upgrade react and react-dom to 19.x alongside the Next.js bump.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At pnpm-workspace.yaml, line 3:
<comment>Next.js 15 requires React 19+, but the catalog still pins React 18. This version mismatch will produce peer dependency conflicts and can break builds. Upgrade `react` and `react-dom` to 19.x alongside the Next.js bump.</comment>
<file context>
@@ -1,7 +1,6 @@
packages: [apps/*]
catalog:
- next: 14.2.16
+ next: 15.5.10
react: ^18
react-dom: ^18
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
14.2.16→15.5.10Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Next.js Allows a Denial of Service (DoS) with Server Actions
CVE-2024-56332 / GHSA-7m27-7ghc-44w9
More information
Details
Impact
A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.
Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.
Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.
This is the same issue as if the incoming HTTP request has an invalid
Content-Lengthheader or never closes. If the host has no other mitigations to those then this vulnerability is novel.This vulnerability affects only Next.js deployments using Server Actions.
Patches
This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.
Workarounds
There are no official workarounds for this vulnerability.
Credits
Thanks to the PackDraw team for responsibly disclosing this vulnerability.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js Race Condition to Cache Poisoning
CVE-2025-32421 / GHSA-qpjv-v59x-3qc4
More information
Details
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve
pagePropsdata instead of standard HTML.Learn more here
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Authorization Bypass in Next.js Middleware
CVE-2025-29927 / GHSA-f82v-jwr5-mffw
More information
Details
Impact
It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
Patches
15.2.314.2.25Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.
Workaround
If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the
x-middleware-subrequestheader from reaching your Next.js application.Credits
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
CVE-2025-57752 / GHSA-g5qg-72qw-gw5v
More information
Details
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as
CookieorAuthorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
More details at Vercel Changelog
Severity
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js Content Injection Vulnerability for Image Optimization
CVE-2025-55173 / GHSA-xv57-4mr9-wg8v
More information
Details
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on
images.domainsorimages.remotePatternsare encouraged to upgrade and verify that external image sources are strictly validated.More details at Vercel Changelog
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js Improper Middleware Redirect Handling Leads to SSRF
CVE-2025-57822 / GHSA-4342-x723-ch2f
More information
Details
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into
NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the
next()function.More details at Vercel Changelog
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next Vulnerable to Denial of Service with Server Components
GHSA-mwv6-3258-q52c
More information
Details
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.
A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
GHSA-5j59-xgg2-r9c4
More information
Details
It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.
This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.
A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
GHSA-h25m-26qc-wcjf
More information
Details
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
CVE-2025-59471 / GHSA-9g9p-9gw9-jx7f
More information
Details
A DoS vulnerability exists in self-hosted Next.js applications that have
remotePatternsconfigured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires thatremotePatternsis configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vercel/next.js (next)
v15.5.10Compare Source
Please refer the following changelogs for more information about this security release:
v15.5.9Compare Source
v15.5.8Compare Source
v15.5.7Compare Source
v15.5.6Compare Source
Core Changes
Credits
Huge thanks to @mischnic for helping!
v15.5.5Compare Source
Core Changes
experimental.middlewareClientMaxBodySizebody cloning limit (#84722)Misc Changes
Credits
Huge thanks to @devjiwonchoi, @ztanner, and @icyJoseph for helping!
v15.5.4Compare Source
Core Changes
Misc Changes
Credits
Huge thanks to @yiminghe, @huozhi, @devjiwonchoi, @mischnic, @lukesandberg, @ztanner, @icyJoseph, @leerob, @fufuShih, @dwrth, @aymericzip, @obendev, @molebox, @OoMNoO, @pontasan, @styfle, @HondaYt, @ryuapp, @lpalmes, and @ijjk for helping!
v15.5.3Compare Source
Core Changes
Credits
Huge thanks to @bgub for helping!
v15.5.2Compare Source
Core Changes
Credits
Huge thanks to @bgub and @ztanner for helping!
v15.5.1Compare Source
Core Changes
Credits
Huge thanks to @bgub, @mischnic, and @ztanner for helping!
v15.5.0Compare Source
Core Changes
@typescript-eslint/switch-exhaustiveness-checkrule: #81583React.unstable_postpone(): #81652images.qualitiesis undefined: #81690pprordynamicIOenabled: #81668__turbopack_load_by_url__: #8166397cdd5d3-20250710to2f0e7e57-20250715: #81678renderToStringfunction: #817072f0e7e57-20250715tod85ec5f5-20250716: #81708next-serverVM: #81664headers/cookies/draftModein'use cache': #81716d85ec5f5-20250716todffacc7b-20250717: #81767getExpectedRequestStorefunction: #81791.next/cache: #81807dffacc7b-20250717toe9638c33-20250721: #81899'use cache: private': #81816browserslist: #81851run-turbopack-compilertrace span: #81917e9638c33-20250721to7513996f-20250722: #819407513996f-20250722toedac0dde-20250723: #81984exhaustive-depsviolations: #82010edac0dde-20250723to3d14fcf0-20250724: #820203d14fcf0-20250724to19baee81-20250725: #8206319baee81-20250725toeaee5308-20250728: #82120eaee5308-20250728to9be531cd-20250729: #82159@next/codemod: update docs url in README: #82135@next/codemod: Addexperimental.turbototurbopackcodemod for Next.js configs: #82134NextRequesttypes: #821729be531cd-20250729to9784cb37-20250730: #82207TURBOPACKenv before loading config: #82162outputFileTracingRootorturbopack.rootoption is provided: #821649784cb37-20250730toc260b38d-20250731: #82247eslint-plugin-react-hooksin React sync: #82294c260b38d-20250731tobe11cb5c-20250804: #82339_errorpage'sreq.urlcan be overwritten to dynamic param on minimal mode: #82347asPathfor query-only navigation withuseRouter: #82236?dplto fonts in/_next/static/media: #82384be11cb5c-20250804to7deda941-20250804: #82373pathto Image documentation: #823297deda941-20250804to3958d5d8-20250807: #824473958d5d8-20250807tof1e70b5e-20250811: #82534f1e70b5e-20250811toac7820a9-20250811: #82543image-sizepkg as additional format detector: #82538?dplto fonts in/_next/static/mediapart 2: #82488componentStackFramesfield: #82395skipMetadata: #82569ac7820a9-20250811to1dc3bdea-20250812: #82575Mapsupport froConfiguration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.