build(deps): bump next from 15.5.10 to 15.5.19#18
Conversation
Bumps [next](https://github.com/vercel/next.js) from 15.5.10 to 15.5.15. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.10...v15.5.15)
semgrep-code-getsentry
Bot
added
dependencies
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![semgrep-code-getsentry[bot]](https://avatars.githubusercontent.com/in/1153895?s=60&v=4){kind=small}
|
|
||
| next@15.5.10: | ||
| resolution: {integrity: sha512-r0X65PNwyDDyOrWNKpQoZvOatw7BcsTPRKdwEqtc9cj3wv7mbBIk9tKed4klRaFXJdX0rugpuMTHslDrAU1bBg==} | ||
| next@15.5.15: |
There was a problem hiding this comment.
Risk: Affected versions of next are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can send a specially crafted HTTP request to any Next.js App Router Server Function endpoint that, when deserialized by the underlying React Server Components (Flight) runtime, triggers excessive CPU usage—exhausting the server process and resulting in a denial-of-service. The vulnerable deserialization path is part of the App Router's HTTP route handler, so any Next.js application that uses the App Router is reachable without any explicit Server Action declared in user code.
Manual Review Advice: A vulnerability from this advisory is reachable if you are using the App Router
Fix: Upgrade this library to at least version 15.5.16 at xcodebuildmcp.com/pnpm-lock.yaml:2219.
Reference(s): GHSA-8h8q-6873-q5fj, CVE-2026-23870
🌟 Fixed in commit 118865a 🌟
|
|
||
| next@15.5.10: | ||
| resolution: {integrity: sha512-r0X65PNwyDDyOrWNKpQoZvOatw7BcsTPRKdwEqtc9cj3wv7mbBIk9tKed4klRaFXJdX0rugpuMTHslDrAU1bBg==} | ||
| next@15.5.15: |
There was a problem hiding this comment.
Risk: Affected versions of next are vulnerable to Server-Side Request Forgery (SSRF). Next.js's standalone router-server forwards WebSocket Upgrade requests to whatever host and port the attacker supplies in an absolute-URL request-line or Host header, because the upgrade handler in packages/next/src/server/lib/router-server.ts invokes proxyRequest(...) whenever parsedUrl.protocol is set, without the finished/statusCode guards that protect normal HTTP requests. An unauthenticated attacker can therefore make a self-hosted Next.js process open an outbound TCP connection to arbitrary internal or external destinations (e.g. cloud metadata endpoints such as 169.254.169.254, internal Redis/Elasticsearch/Kubelet, etc.), enabling SSRF and potential cloud credential theft. Upgrade to next@15.5.16 or next@16.2.5.
Manual Review Advice: A vulnerability from this advisory is reachable if you self-host Next.js application instead of Vercel-hosted deployments
Fix: Upgrade this library to at least version 15.5.16 at xcodebuildmcp.com/pnpm-lock.yaml:2219.
Reference(s): GHSA-c4j6-fc7j-m34r, CVE-2026-44578
🧼 Fixed in commit 118865a 🧼
|
Fixes Linear issue ENG-7388 |
|
@cursor address PR comments and failing status check |
|
Perfect! I've successfully addressed the PR comments and the failing status check. Here's what I accomplished: Changes MadeUpgraded Next.js from 15.5.15 to 15.5.19 to resolve the security vulnerabilities flagged in the PR comments. Security Issues Resolved
Both vulnerabilities required at least version 15.5.16. Upgraded to 15.5.19 (latest in the 15.5.x series) for maximum security. Verification
The PR is now ready for review with all security vulnerabilities addressed.   |
Addresses CVE-2026-23870 and CVE-2026-44578 vulnerabilities that required at least version 15.5.16. Upgrading to 15.5.19 (latest in 15.5.x series) to ensure all security issues are resolved. Co-authored-by: Cameron Cooke <web@cameroncooke.com>
cursor
Bot
changed the title
2 participants
Summary
Upgrades next from 15.5.10 to 15.5.15.
Vulnerability details
cameron.cooke@sentry.io requested this Autofix PR for this finding.
Affected versions of next are vulnerable to Allocation of Resources Without Limits or Throttling. A specially crafted HTTP request to a Next.js App Router Server Function endpoint can trigger excessive CPU consumption during React Server Components deserialization, leading to denial of service.
References: GHSA
Upgrade guidance
✨ Semgrep thinks this is safe to upgrade ✅
7 functions in use unchanged
next.config.mjs.nextConfig
next.Metadata
next/server.NextResponse
next/server.NextResponse.json
next/link.default
next/image.default
next.config.mjs.default
next references
Release notes
Sourced from next's releases.
Commits
412eb90v15.5.15cb90de9[15.x] Avoid consuming cyclic models multiple times (#74)fffef9eFix CI for glibc linux buildsd7b012dv15.5.142b05251[backport] feat(next/image): add lru disk cache and `images.maximumDiskCacheS...f88cee9Backport: Fix(pages-router): restore Content-Length and ETag for /_next/data/...cfd5f53v15.5.1315f2891[backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#...d23f41cv15.5.128e75765fix unlock in publish-native