Update dependency next to v15.1.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	15.1.0 -> 15.1.2

GitHub Vulnerability Alerts

CVE-2021-39178

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 11.1.0
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default
• Not affected: Deployments on Vercel are not affected

Patches

Next.js v11.1.1

CVE-2022-23646

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js to use a different loader configuration other than the default.

Impact

• Affected: All of the following must be true to be affected
  • Next.js between version 10.0.0 and 12.0.10
  • The next.config.js file has images.domains array assigned
  • The image host assigned in images.domains allows user-provided SVG
• Not affected: The next.config.js file has images.loader assigned to something other than default

Patches

Next.js 12.1.0

Workarounds

Change next.config.js to use a different loader configuration other than the default, for example:

module.exports = {
  images: {
    loader: 'imgix',
    path: 'https://example.com/myaccount/',
  },
}

Or if you want to use the loader prop on the component, you can use custom:

module.exports = {
  images: {
    loader: 'custom',
  },
}

CVE-2021-43803

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

CVE-2021-37699

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.

Impact

• Affected: Users of Next.js between 10.0.5 and 10.2.0
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
• Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
• Not affected: Deployments on Vercel (vercel.com) are not affected
• Not affected: Deployments with pages/404.js
• Note that versions prior to 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.

We recommend upgrading to the latest version of Next.js to improve the overall security of your application.

Patches

https://github.com/vercel/next.js/releases/tag/v11.1.0

CVE-2023-46298

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

CVE-2024-47831

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

• The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
• The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

CVE-2024-51479

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

CVE-2024-56332

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

---

Release Notes

vercel/next.js (next)

v15.1.2

Compare Source

v15.1.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
ding-one	❌ Failed (Inspect)			Jan 3, 2025 9:53pm

[height]

Link Height tasks by mentioning a task ID in the pull request title or commit messages, or description and comments with the keyword link (e.g. "Link T-123").

💡Tip: You can also use "Close T-X" to automatically close a task when the pull request is merged.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[what-the-diff]

PR Summary

• Package Version Update
  This pull request updates the version of the next package from 15.1.0 to 15.1.2. This change ensures that our software is running the latest stable version, ensuring performance improvements and possible bug fixes that come with the latest version.