Skip to content

fix(deps): vuln next (major → 16.2.4) [website]#91

Draft
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/major/npm/website/3-1778178582
Draft

fix(deps): vuln next (major → 16.2.4) [website]#91
gh-worker-campaigns-3e9aa4[bot] wants to merge 1 commit into
masterfrom
engraver-auto-version-upgrade/major/npm/website/3-1778178582

Conversation

@gh-worker-campaigns-3e9aa4
Copy link
Copy Markdown

@gh-worker-campaigns-3e9aa4 gh-worker-campaigns-3e9aa4 Bot commented May 7, 2026

Summary: Critical-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

  • website (npm)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

Updates

Package From To Type Dep Type Vulnerabilities Fixed
next 14.0.4 16.2.4 major Direct 2 CRITICAL, 10 HIGH, 16 MODERATE, 4 LOW

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

  • Review the changelog/release notes for breaking changes
  • Test thoroughly in a staging environment
  • Update any code that depends on changed APIs
  • Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (12 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
next GHSA-f82v-jwr5-mffw CRITICAL Authorization Bypass in Next.js Middleware 14.0.4 13.5.9
next CVE-2025-29927 CRITICAL Authorization Bypass in Next.js Middleware 14.0.4 -
next CVE-2024-51479 HIGH Authorization bypass in Next.js 14.0.4 -
next GHSA-h25m-26qc-wcjf HIGH Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components 14.0.4 15.0.8
next CVE-2024-34351 HIGH Next.js Server-Side Request Forgery in Server Actions 14.0.4 -
next GHSA-gp8f-8m3g-qvj9 HIGH Next.js Cache Poisoning 14.0.4 13.5.7
next CVE-2024-46982 HIGH Cache Poisoning in next.js 14.0.4 -
next GHSA-fr5h-rqp8-mj6g HIGH Next.js Server-Side Request Forgery in Server Actions 14.0.4 14.1.1
next GHSA-q4gf-8mx6-v5v3 HIGH Next.js has a Denial of Service with Server Components 14.0.4 15.5.15
next GHSA-mwv6-3258-q52c HIGH Next Vulnerable to Denial of Service with Server Components 14.0.4 14.2.34
next GHSA-5j59-xgg2-r9c4 HIGH Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up 14.0.4 14.2.35
next GHSA-7gfc-8cq8-jh5f HIGH Next.js authorization bypass vulnerability 14.0.4 14.2.15
ℹ️ Other Vulnerabilities (20)
Package CVE Severity Summary Unsafe Version Fixed In
next CVE-2025-57822 MODERATE Next.js Improper Middleware Redirect Handling Leads to SSRF 14.0.4 -
next CVE-2025-57752 MODERATE Next.js Affected by Cache Key Confusion for Image Optimization API Routes 14.0.4 -
next CVE-2026-27980 MODERATE Next.js: Unbounded next/image disk cache growth can exhaust storage 14.0.4 -
next GHSA-4342-x723-ch2f MODERATE Next.js Improper Middleware Redirect Handling Leads to SSRF 14.0.4 14.2.32
next CVE-2026-29057 MODERATE Next.js: HTTP request smuggling in rewrites 14.0.4 -
next GHSA-ggv3-7p47-pfv8 MODERATE Next.js: HTTP request smuggling in rewrites 14.0.4 16.1.7
next GHSA-g5qg-72qw-gw5v MODERATE Next.js Affected by Cache Key Confusion for Image Optimization API Routes 14.0.4 14.2.31
next CVE-2024-56332 MODERATE Next.js Vulnerable to Denial of Service (DoS) with Server Actions 14.0.4 -
next CVE-2025-59471 MODERATE - 14.0.4 -
next GHSA-3x4c-7xq6-9pq8 MODERATE Next.js: Unbounded next/image disk cache growth can exhaust storage 14.0.4 16.1.7
next GHSA-xv57-4mr9-wg8v MODERATE Next.js Content Injection Vulnerability for Image Optimization 14.0.4 14.2.31
next CVE-2025-55173 MODERATE Next.js Content Injection Vulnerability for Image Optimization 14.0.4 -
next GHSA-9g9p-9gw9-jx7f MODERATE Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration 14.0.4 15.5.10
next GHSA-7m27-7ghc-44w9 MODERATE Next.js Allows a Denial of Service (DoS) with Server Actions 14.0.4 13.5.8
next CVE-2024-47831 MODERATE Next.js image optimization has Denial of Service condition 14.0.4 -
next GHSA-g77x-44xx-532m MODERATE Denial of Service condition in Next.js image optimization 14.0.4 14.2.7
next CVE-2025-32421 LOW Next.js Race Condition to Cache Poisoning 14.0.4 -
next CVE-2025-48068 LOW Information exposure in Next.js dev server due to lack of origin verification 14.0.4 -
next GHSA-3h52-269p-cp9r LOW Information exposure in Next.js dev server due to lack of origin verification 14.0.4 15.2.2
next GHSA-qpjv-v59x-3qc4 LOW Next.js Race Condition to Cache Poisoning 14.0.4 14.2.24

Review Checklist

Extra review is recommended for this update:

  • Review changes for compatibility with your code
  • Check release notes for breaking changes
  • Run integration tests to verify service behavior
  • Test in staging environment before production
  • Monitor key metrics after deployment
  • Approve and merge this PR

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

adms-critical-severity adms-custom-action-failed adms-dependency-update adms-high-severity adms-low-severity adms-major-update adms-medium-severity adms-mode-all-vulns adms-npm campaigner-automated-change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants