Merged
Conversation
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [next](https://nextjs.org) ([source](https://redirect.github.com/vercel/next.js)) | [`16.1.6` → `16.1.7`](https://renovatebot.com/diffs/npm/next/16.1.6/16.1.7) |  |  | ### GitHub Vulnerability Alerts #### [CVE-2026-27977](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36) ## Summary In `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. ## Impact If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) still allow connections from any origin. ## Patches Fixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. ## Workarounds If upgrade is not immediately possible: - Do not expose `next dev` to untrusted networks. - Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at your proxy. #### [CVE-2026-27978](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx) ## Summary `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. ## Impact An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). ## Patches Fixed by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. ## Workarounds If upgrade is not immediately possible: - Add CSRF tokens for sensitive Server Actions. - Prefer `SameSite=Strict` on sensitive auth cookies. - Do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected. #### [CVE-2026-27979](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq) ## Summary A request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. ## Impact In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. ## Patches Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. ## Workarounds If upgrade is not immediately possible: - Block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client. #### [CVE-2026-29057](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8) ## Summary When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. ## Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. ## Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. ## Workarounds If upgrade is not immediately possible: - Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security). --- ### Next.js: Unbounded next/image disk cache growth can exhaust storage [CVE-2026-27980](https://nvd.nist.gov/vuln/detail/CVE-2026-27980) / [GHSA-3x4c-7xq6-9pq8](https://redirect.github.com/advisories/GHSA-3x4c-7xq6-9pq8) <details> <summary>More information</summary> #### Details ##### Summary The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. ##### Impact An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. ##### Patches Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. ##### Workarounds If upgrade is not immediately possible: - Periodically clean `.next/cache/images`. - Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`) #### Severity - CVSS Score: 6.9 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` #### References - [https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8) - [https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd](https://redirect.github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd) - [https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js) - [https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-3x4c-7xq6-9pq8) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Next.js: HTTP request smuggling in rewrites [CVE-2026-29057](https://nvd.nist.gov/vuln/detail/CVE-2026-29057) / [GHSA-ggv3-7p47-pfv8](https://redirect.github.com/advisories/GHSA-ggv3-7p47-pfv8) <details> <summary>More information</summary> #### Details ##### Summary When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. ##### Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. ##### Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. ##### Workarounds If upgrade is not immediately possible: - Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security). #### Severity - CVSS Score: 6.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8) - [https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6](https://redirect.github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6) - [https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js) - [https://github.com/vercel/next.js/releases/tag/v15.5.13](https://redirect.github.com/vercel/next.js/releases/tag/v15.5.13) - [https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ggv3-7p47-pfv8) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Next.js: Unbounded postponed resume buffering can lead to DoS [CVE-2026-27979](https://nvd.nist.gov/vuln/detail/CVE-2026-27979) / [GHSA-h27x-g6w4-24gq](https://redirect.github.com/advisories/GHSA-h27x-g6w4-24gq) <details> <summary>More information</summary> #### Details ##### Summary A request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. ##### Impact In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. ##### Patches Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. ##### Workarounds If upgrade is not immediately possible: - Block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client. #### Severity - CVSS Score: 6.9 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` #### References - [https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq) - [https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1](https://redirect.github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1) - [https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js) - [https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-h27x-g6w4-24gq) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Next.js: null origin can bypass dev HMR websocket CSRF checks [CVE-2026-27977](https://nvd.nist.gov/vuln/detail/CVE-2026-27977) / [GHSA-jcc7-9wpm-mj36](https://redirect.github.com/advisories/GHSA-jcc7-9wpm-mj36) <details> <summary>More information</summary> #### Details ##### Summary In `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. ##### Impact If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) still allow connections from any origin. ##### Patches Fixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. ##### Workarounds If upgrade is not immediately possible: - Do not expose `next dev` to untrusted networks. - Block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at your proxy. #### Severity - CVSS Score: 2.3 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36) - [https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a](https://redirect.github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a) - [https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js) - [https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jcc7-9wpm-mj36) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Next.js: null origin can bypass Server Actions CSRF checks [CVE-2026-27978](https://nvd.nist.gov/vuln/detail/CVE-2026-27978) / [GHSA-mq59-m269-xvcx](https://redirect.github.com/advisories/GHSA-mq59-m269-xvcx) <details> <summary>More information</summary> #### Details ##### Summary `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. ##### Impact An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). ##### Patches Fixed by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. ##### Workarounds If upgrade is not immediately possible: - Add CSRF tokens for sensitive Server Actions. - Prefer `SameSite=Strict` on sensitive auth cookies. - Do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx) - [https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8](https://redirect.github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8) - [https://github.com/vercel/next.js](https://redirect.github.com/vercel/next.js) - [https://github.com/vercel/next.js/releases/tag/v16.1.7](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-mq59-m269-xvcx) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>vercel/next.js (next)</summary> ### [`v16.1.7`](https://redirect.github.com/vercel/next.js/releases/tag/v16.1.7) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v16.1.6...v16.1.7) > \[!NOTE] > This release is backporting bug fixes. It does **not** include all pending features/changes on canary. ##### Core Changes - \[Cache Components] Prevent streaming fetch calls from hanging in dev ([#​89194](https://redirect.github.com/vercel/next.js/issues/89194)) - Apply server actions transform to node\_modules in route handlers ([#​89380](https://redirect.github.com/vercel/next.js/issues/89380)) - ensure `maxPostponedStateSize` is always respected (See: [CVE-2026-27979](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq)) - feat(next/image): add lru disk cache and `images.maximumDiskCacheSize` (See: [CVE-2026-27980](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8)) - Allow blocking cross-site dev-only websocket connections from privacy-sensitive origins (See: [CVE-2026-27977](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36)) - Disallow Server Action submissions from privacy-sensitive contexts by default (See: [CVE-2026-27978](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx)) - fix: patch http-proxy to prevent request smuggling in rewrites (See: [CVE-2026-29057](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8)) ##### Credits Huge thanks to [@​unstubbable](https://redirect.github.com/unstubbable), [@​styfle](https://redirect.github.com/styfle), [@​eps1lon](https://redirect.github.com/eps1lon), and [@​ztanner](https://redirect.github.com/ztanner) for helping! </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43Ny43IiwidXBkYXRlZEluVmVyIjoiNDMuNzcuNyIsInRhcmdldEJyYW5jaCI6ImRldmVsb3AiLCJsYWJlbHMiOltdfQ==--> Co-authored-by: Renovate Bot <renovate@whitesourcesoftware.com>
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 7am on Wednesday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43Ny43IiwidXBkYXRlZEluVmVyIjoiNDMuNzcuNyIsInRhcmdldEJyYW5jaCI6ImRldmVsb3AiLCJsYWJlbHMiOltdfQ==--> Co-authored-by: Renovate Bot <renovate@whitesourcesoftware.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Only merge using a merge commit!