chore(deps): update dependency next to v14.2.35 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
next (source)	14.2.26 -> 14.2.35

GitHub Vulnerability Alerts

CVE-2025-48068

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

GHSA-mwv6-3258-q52c

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

GHSA-5j59-xgg2-r9c4

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and did not fully prevent denial-of-service attacks in all payload types. This affects React package versions 19.0.2, 19.1.3, and 19.2.2 and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious HTTP request can be crafted and sent to any Server Function endpoint that, when deserialized, can enter an infinite loop within the React Server Components runtime. This can cause the server process to hang and consume CPU, resulting in denial of service in unpatched environments.

---

Release Notes

vercel/next.js (next)

v14.2.35

Compare Source

v14.2.34

Compare Source

v14.2.33

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• omit searchParam data from FlightRouterState before transport (#​80734)

Credits

Huge thanks to @​ztanner for helping!

v14.2.32

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix router handling when setting a location response header #​82588

Credits

Huge thanks to @​ztanner for helping!

v14.2.31

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix(next/image): improve and simplify detect-content-type (#​82179)
• fix(next/image): fix image-optimizer.ts headers (#​82178)

Credits

Huge thanks to @​styfle and @​ztanner for helping!

v14.2.30

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Backport config.allowedDevOrigins (#​80410) (Learn More)

Credits

Huge thanks to @​ijjk and @​ztanner for helping!

v14.2.29

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only share incremental cache for edge in next start (#​79389)

Credits

Huge thanks to @​ijjk for helping!

v14.2.28

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: node.js module import error when using middleware (#​77945)

Credits

Huge thanks to @​ztanner for helping!

v14.2.27

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix dynamic route interception not working when deployed with middleware (#​64923)

Credits

Huge thanks to @​ztanner for helping!

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

• Chores
  • Updated Next.js dependencies to version 14.2.35 across example projects for improved compatibility and stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (536fc86) to head (6430212).

Additional details and impacted files

@@              Coverage Diff              @@
##           development      #186   +/-   ##
=============================================
  Coverage       100.00%   100.00%           
=============================================
  Files               12        12           
  Lines               96        96           
  Branches            17        17           
=============================================
  Hits                96        96           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Walkthrough

Next.js dependency version bumped from 14.2.26 to 14.2.35 in two example project package.json files. No code logic, functionality, or control flow changes. These are configuration-only updates for dependency management.

Changes

Cohort / File(s)	Summary
Next.js dependency updates examples/with-app-router-context/package.json, examples/with-app-router-script/package.json	Updated next dependency from 14.2.26 to 14.2.35 in both example projects

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Straightforward, homogeneous dependency version bumps across two files
• No code logic, control flow, or functional changes to evaluate
• Minimal risk: patch-level version increments within the same minor version

Poem

🐰 Two little hops, two version bumps so fine,
Next.js now springs from twenty-six to thirty-five's line,
Example gardens grow with fresher seeds today,
Patches and polish to brighten the way! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the Next.js dependency to v14.2.35 for security fixes, directly matching the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/npm-next-vulnerability

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (2)

• CVE-2025: Request failed with status code 404
• GHSA-4342: Request failed with status code 404

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jagjotsinghparry]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

examples/with-app-router-script/package.json (1)

6-6: Consider adding allowedDevOrigins for CVE-2025-48068 mitigation.

CVE-2025-48068 mitigation requires configuring allowedDevOrigins in next.config.js to opt into the fix after upgrading. This low-severity vulnerability affects the dev server when a developer visits a malicious website while running next dev with App Router enabled.

While this is a low-severity dev-only issue, configuring allowedDevOrigins restricts WebSocket connections to trusted origins and provides defense-in-depth.

Add a next.config.js file (if not already present) with:

// next.config.js
module.exports = {
  allowedDevOrigins: ['localhost', '127.0.0.1'],
};

examples/with-app-router-context/package.json (1)

6-6: Consider adding allowedDevOrigins for CVE-2025-48068 mitigation.

CVE-2025-48068 mitigation requires configuring allowedDevOrigins in next.config.js to opt into the fix after upgrading. This low-severity vulnerability affects the dev server when a developer visits a malicious website while running next dev with App Router enabled.

While this is a low-severity dev-only issue, configuring allowedDevOrigins restricts WebSocket connections to trusted origins and provides defense-in-depth.

Add a next.config.js file (if not already present) with:

// next.config.js
module.exports = {
  allowedDevOrigins: ['localhost', '127.0.0.1'],
};

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 536fc86 and 6430212.

⛔ Files ignored due to path filters (3)

• examples/with-app-router-context/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• examples/with-app-router-script/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• examples/with-app-router-context/package.json (1 hunks)
• examples/with-app-router-script/package.json (1 hunks)

🔇 Additional comments (1)

examples/with-app-router-context/package.json (1)

17-17: Version bump to 14.2.35 is appropriate and addresses security concerns for 14.x.

Next.js 14.2.35 is the recommended patch for the 14.x release line, and is not affected by React2Shell (CVE-2025-55182), which only impacts Next.js versions ≥14.3.0-canary.77, ≥15 and ≥16. React 19.0, 19.1.0, 19.1.1, and 19.2.0 are vulnerable, with fixes in versions 19.0.1, 19.1.2, and 19.2.1, while applications on Next.js 13.3 or later version 13 (13.3.x, 13.4.x, or 13.5.x) should upgrade to version 14.2.35.

Next.js 14.2.35 includes fixes for CVE-2025-55184 (Denial of Service - CVSS 7.5) and CVE-2025-55183 (Source Code Exposure - CVSS 5.3), with a complete fix issued under CVE-2025-67779. Additionally, 14.2.35 addresses CVE-2025-57752 (fixed in v14.2.31) and CVE-2025-55173 (fixed in v14.2.31), which involved cache key confusion and image optimization content injection vulnerabilities, as well as CVE-2025-57822 affecting middleware, which was addressed in v14.2.32. Note that the initial fix for CVE-2025-55184 was incomplete; a complete fix has been issued under CVE-2025-67779, and if you previously upgraded to initially recommended versions, upgrade again to the latest patched versions.

React 18.3.1 is not affected by React2Shell as it only impacts React 19.x.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Version mismatch: eslint-config-next is ahead of next.

The eslint-config-next is at version 15.2.4 while next is at 14.2.35. While this may work, it's generally recommended to keep these versions aligned to the same major version to avoid potential compatibility issues.

Consider aligning the versions:

-    "eslint-config-next": "15.2.4",
+    "eslint-config-next": "14.2.35",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"eslint-config-next": "15.2.4",
	"eslint-config-next": "14.2.35",

🤖 Prompt for AI Agents

examples/with-app-router-context/package.json lines 16-16: eslint-config-next is
on 15.2.4 while next is 14.2.35; update package.json so both packages use the
same major version (either pin eslint-config-next to a 14.x release matching
next, or upgrade next to 15.x to match eslint-config-next), then run your
package manager install and re-run lint/build to verify compatibility.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Version mismatch: eslint-config-next is ahead of next.

The eslint-config-next is at version 15.2.4 while next is at 14.2.35. While this may work, it's generally recommended to keep these versions aligned to the same major version to avoid potential compatibility issues.

Consider aligning the versions:

-    "eslint-config-next": "15.2.4",
+    "eslint-config-next": "14.2.35",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"eslint-config-next": "15.2.4",
	"eslint-config-next": "14.2.35",

🤖 Prompt for AI Agents

In examples/with-app-router-script/package.json around line 16,
eslint-config-next is at 15.2.4 while next is 14.2.35; update package.json to
align versions by either downgrading eslint-config-next to a 14.x matching next
or upgrading next to 15.x so both share the same major version, then run
npm/yarn install and test linting/build to ensure compatibility.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Next.js 14.2.35 is the appropriate security patch for the 14.x release line.

CVE-2025-55182 (React2Shell) is a critical CVSS 10.0 vulnerability affecting React versions 19.x and Next.js versions 15.x and 16.x when using App Router. Next.js 14.x stable is not affected. The version bump is therefore appropriate.

CVE-2025-57752, a cache deception vulnerability in Next.js Image Optimization, was fixed in v14.2.31. CVE-2025-48068, a dev server source code exposure issue, was fixed in versions 14.2.30 and 15.2.2. Since 14.2.35 includes both fixes, the security improvements are confirmed.

However, address the version mismatch: eslint-config-next is pinned to version 15.2.4, which corresponds to Next.js 15.x, while next is 14.2.35. Update eslint-config-next to the 14.2.x series to match the Next.js version.

🤖 Prompt for AI Agents

In examples/with-app-router-script/package.json around line 17,
eslint-config-next is pinned to 15.2.4 while next is 14.2.35; update
eslint-config-next to the matching 14.2.x series (e.g., 14.2.35 or a compatible
14.2.*) in package.json, then reinstall dependencies (npm/yarn/pnpm install) to
update the lockfile and run the linter to confirm no configuration mismatches
remain.