Skip to content

fix(deps): Update dependency next to v16.1.5 [SECURITY] #268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): Update dependency next to v16.1.5 [SECURITY] #268

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 12, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
next (source) 16.0.916.1.5 age confidence

GitHub Vulnerability Alerts

GHSA-5j59-xgg2-r9c4

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

CVE-2025-59471

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

GHSA-h25m-26qc-wcjf

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

  1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

  2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

Release Notes

vercel/next.js (next)

v16.1.5

Compare Source

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

Compare Source

v16.1.3

Compare Source

v16.1.2

Compare Source

v16.1.1

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Turbopack: Create junction points instead of symlinks on Windows (#​87606)
Credits

Huge thanks to @​sokra and @​ztanner for helping!

v16.1.0

Compare Source

v16.0.11

Compare Source

Please see this changelog for more information about this security patch.

v16.0.10

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate using a curated preset maintained by Sanity. View repository job log here

@vercel
Copy link

vercel bot commented Dec 12, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
css-in-js-benchmarks Ready Ready Preview, Comment Feb 2, 2026 4:32pm
css-in-js-next Ready Ready Preview, Comment Feb 2, 2026 4:32pm
styled-components-examples-next-app-router Ready Ready Preview, Comment Feb 2, 2026 4:32pm
styled-components-examples-next-pages-router Ready Ready Preview, Comment Feb 2, 2026 4:32pm

Request Review

@renovate renovate bot added the 📦 deps label Dec 12, 2025
@changeset-bot
Copy link

changeset-bot bot commented Dec 12, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 22392f1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@socket-security
Copy link

socket-security bot commented Dec 12, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​next@​16.0.9 ⏵ 16.1.562 -20100 +249097 +4770
Updatednpm/​react@​19.3.0-canary-bcf97c75-20251215 ⏵ 19.3.0-canary-ed4bd540-20260202100 +110084 +198100
Updatednpm/​react-dom@​19.3.0-canary-bcf97c75-20251215 ⏵ 19.3.0-canary-ed4bd540-20260202100 +110092 +198 +1100
Updatednpm/​react-is@​19.3.0-canary-bcf97c75-20251215 ⏵ 19.3.0-canary-ed4bd540-2026020210010010098100

View full report

@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 646f913 to dc95d70 Compare December 17, 2025 09:53
@renovate renovate bot changed the title fix(deps): Update dependency next to v16.0.9 [SECURITY] fix(deps): Update dependency next to v16.0.10 [SECURITY] Dec 17, 2025
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from dc95d70 to b987d70 Compare December 18, 2025 08:25
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from b987d70 to 9abba39 Compare December 31, 2025 18:35
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 9abba39 to 0ae9de7 Compare January 8, 2026 20:55
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 0ae9de7 to abd09cc Compare January 19, 2026 17:39
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from abd09cc to 9147638 Compare January 23, 2026 22:36
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from 9147638 to e400c14 Compare January 27, 2026 23:28
@renovate renovate bot changed the title fix(deps): Update dependency next to v16.0.10 [SECURITY] fix(deps): Update dependency next to v16.1.5 [SECURITY] Jan 27, 2026
@renovate renovate bot force-pushed the renovate/npm-next-vulnerability branch from e400c14 to 22392f1 Compare February 2, 2026 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🤖 bot 📦 deps

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants