🚨 [security] [test] Update next 13.5.7 → 15.4.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ next (13.5.7 → 15.4.0) · Repo

Security Advisories 🚨

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js authorization bypass vulnerability

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

🚨 Denial of Service condition in Next.js image optimization

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

• The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
• The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9
• Using pages router
• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

• Deployments using only app router
• Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

• Allam Rachid (zhero_)
• Henry Chen

🚨 Next.js Server-Side Request Forgery in Server Actions

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

• Next.js (<14.1.1) is running in a self-hosted* manner.
• The Next.js application makes use of Server Actions.
• The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn't find anything useful about this release.

✳️ @​playwright/test (1.39.0 → 1.53.0) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​next/env (indirect, 13.5.7 → 15.4.0-canary.57) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ @​swc/helpers (indirect, 0.5.2 → 0.5.15) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ caniuse-lite (indirect, 1.0.30001418 → 1.0.30001723) · Repo · Changelog

↗️ playwright (indirect, 1.39.0 → 1.53.0) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ playwright-core (indirect, 1.39.0 → 1.53.0) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ styled-jsx (indirect, 5.1.1 → 5.1.6) · Repo · Changelog

Release Notes

5.1.6

5.1.6 (2024-05-24)

Bug Fixes

• Move TypeScript to devDependencies (#848) (d5bd4ed)

5.1.5

5.1.5 (2024-05-24)

Bug Fixes

• Correct context for declaration files (#847) (3e372f2)

5.1.4

5.1.4 (2024-05-24)

Bug Fixes

• Use scoped JSX namespace (#846) (0254816)

5.1.3

5.1.3 (2024-05-07)

Bug Fixes

• bump peer dep for react 19 (#844) (18ddefd)

5.1.2

5.1.2 (2023-01-25)

Bug Fixes

• including global typing (#826) (5870e59)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• fix: Move TypeScript to `devDependencies` (#848)
• fix: Correct context for declaration files (#847)
• fix: Use scoped JSX namespace (#846)
• fix: bump peer dep for react 19 (#844)
• chore: bump loader-utils version (#845)
• chore: update issue template (#839)
• fix: including global typing (#826)

↗️ tslib (indirect, 2.4.1 → 2.8.1) · Repo

Release Notes

2.8.1

What's Changed

• Fix publish workflow by @andrewbranch in #271
• Include non-enumerable keys in __importStar helper by @rbuckton in #272
• Remove use of ES2015 syntax by @andrewbranch in #275

Full Changelog: v2.8.0...v2.8.1

2.8.0

What's Changed

• Validate export structure of every entrypoint by @andrewbranch in #269
• Add rewriteRelativeImportExtension helper by @andrewbranch in #270

Full Changelog: v2.7.0...v2.8.0

2.7.0

What's Changed

• Implement deterministic collapse of await in await using by @rbuckton in #262
• Use global 'Iterator.prototype' for downlevel generators by @rbuckton in #267

Full Changelog: v2.6.3...v2.7.0

2.6.3

What's Changed

• 'await using' normative changes by @rbuckton in #258

Full Changelog: v2.6.2...v2.6.3

2.6.2

What's Changed

• Fix path to exports["module"]["types"] by @andrewbranch in #217

Full Changelog: v2.6.1...v2.6.2

2.6.1

What's Changed

• Allow functions as values in __addDisposableResource by @rbuckton in #215
• Stop using es6 syntax in the es6 file by @andrewbranch in #216

Full Changelog: 2.6.0...v2.6.1

2.6.0

What's Changed

• Add helpers for using and await using by @rbuckton in #213

Full Changelog: v2.5.3...2.6.0

2.5.3

What's Changed

• Do not reference tslib.es6.js from package.json exports by @andrewbranch in #208

Full Changelog: 2.5.2...v2.5.3

2.5.2

This release explicitly re-exports helpers to work around TypeScript's incomplete symbol resolution for tslib.

2.5.1

This release of tslib provides fixes for two issues.

First, it reverses the order of init hooks provided by decorators to correctly reflect proposed behavior.

Second, it corrects the exports field of tslib's package.json and provides accurate declaration files so that it may be consumed under the node16 and bundler settings for moduleResolution.

2.5.0

What's New

• Fix asyncDelegator reporting done too early by @apendua in #187
• Add support for TypeScript 5.0's __esDecorate and related helpers by @rbuckton in #193

Full Changelog: 2.4.1...2.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 71 commits:

• 2.8.1
• Merge pull request #275 from microsoft/bug/es5-compat
• Remove use of ES2015 syntax
• Include non-enumerable keys in __importStar helper (#272)
• Add missing registry-url parameter
• Merge pull request #271 from microsoft/fix-publish
• Fix publish workflow
• 2.8.0
• Merge pull request #270 from microsoft/rewriteRelativeImportExtension
• Missed update
• Little optimizations
• Add URL-ish test
• Combine tsx case into regex
• Test and fix invalid declaration-looking extensions
• Do more with a regex
• Shorten by one line
• Case insensitivity, remove lookbehind
• Add rewriteRelativeImportExtension helper
• Merge pull request #269 from microsoft/test-infrastructure
• Test export structure
• Bump version to 2.7.0.
• Use global 'Iterator.prototype' for downlevel generators (#267)
• Implement deterministic collapse of 'await' in 'await using' (#262)
• 2.6.3
• 'await using' normative changes (#258)
• Bump the github-actions group with 3 updates (#253)
• Bump the github-actions group with 1 update (#242)
• Bump the github-actions group with 1 update (#241)
• Bump the github-actions group with 2 updates (#240)
• JSDoc typo on `__exportStar`. (#221)
• Bump the github-actions group with 1 update (#233)
• Bump the github-actions group with 1 update (#230)
• Bump the github-actions group with 2 updates (#228)
• Pin CI actions missed in previous PR
• CI: Hashpin sensitive actions and install dependabot (#226)
• Fix __asyncGenerator to properly handle AsyncGeneratorUnwrapYieldResumption (#222)
• Update codeql workflow using GUI (#223)
• CI: set minimal permissions for GitHub Workflows (#218)
• 2.6.2
• Merge pull request #217 from microsoft/bug/fix-modules-condition-types-path
• Fix path to exports["module"]["types"]
• 2.6.1
• Merge pull request #216 from microsoft/bug/205
• Undo format on save
• Stop using es6 syntax in the es6 file
• Allow functions as values in __addDisposableResource (#215)
• 2.6.0
• Add helpers for `using` and `await using` (#213)
• 2.5.3
• Merge pull request #208 from microsoft/moar-modules
• Do not reference tslib.es6.js from package.json exports
• Bump version to 2.5.2.
• Use named reexport to satsify incomplete TS symbol resolution (#204)
• Reverse order of decorator-injected initializers (#202)
• Merge pull request #200 from Andarist/fix/import-types
• Update modules/index.d.ts
• Merge pull request #201 from microsoft/fix-esm
• Merge pull request #179 from guybedford/patch-4
• Add default export to modules/index.js
• Ensure tslib.es6.js is typed
• Add Node-specific export condition for ESM entrypoint that re-exports CJS
• Add propert declaration file for the `import` condition
• Merge pull request #195 from xfq/https
• http -> https
• Merge pull request #194 from microsoft/bump-version-2.5
• Bump package version to 2.5.0
• Add support for __esDecorate and related helpers (#193)
• Merge pull request #188 from microsoft/add-codeql
• try paths: .
• add codeql
• Fix asyncDelegator reporting done too early (#187)

🆕 @​emnapi/runtime (added, 1.4.3)

🆕 @​img/sharp-darwin-arm64 (added, 0.34.2)

🆕 @​img/sharp-darwin-x64 (added, 0.34.2)

🆕 @​img/sharp-libvips-darwin-arm64 (added, 1.1.0)

🆕 @​img/sharp-libvips-darwin-x64 (added, 1.1.0)

🆕 @​img/sharp-libvips-linux-arm (added, 1.1.0)

🆕 @​img/sharp-libvips-linux-arm64 (added, 1.1.0)

🆕 @​img/sharp-libvips-linux-ppc64 (added, 1.1.0)

🆕 @​img/sharp-libvips-linux-s390x (added, 1.1.0)

🆕 @​img/sharp-libvips-linux-x64 (added, 1.1.0)

🆕 @​img/sharp-libvips-linuxmusl-arm64 (added, 1.1.0)

🆕 @​img/sharp-libvips-linuxmusl-x64 (added, 1.1.0)

🆕 @​img/sharp-linux-arm (added, 0.34.2)

🆕 @​img/sharp-linux-arm64 (added, 0.34.2)

🆕 @​img/sharp-linux-s390x (added, 0.34.2)

🆕 @​img/sharp-linux-x64 (added, 0.34.2)

🆕 @​img/sharp-linuxmusl-arm64 (added, 0.34.2)

🆕 @​img/sharp-linuxmusl-x64 (added, 0.34.2)

🆕 @​img/sharp-wasm32 (added, 0.34.2)

🆕 @​img/sharp-win32-arm64 (added, 0.34.2)

🆕 @​img/sharp-win32-ia32 (added, 0.34.2)

🆕 @​img/sharp-win32-x64 (added, 0.34.2)

🆕 color (added, 4.2.3)

🆕 color-string (added, 1.9.1)

🆕 detect-libc (added, 2.0.4)

🆕 is-arrayish (added, 0.3.2)

🆕 sharp (added, 0.34.2)

🆕 simple-swizzle (added, 0.2.2)

🗑️ @​next/swc-win32-ia32-msvc (removed)

🗑️ busboy (removed)

🗑️ glob-to-regexp (removed)

🗑️ streamsearch (removed)

🗑️ watchpack (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #180.