The next npm package, version 0.1.0, represents an early iteration of Node.js extensions aimed at providing utility functionalities. This initial release, dating back to July 2011, boasts a simple dependency structure, relying solely on the "es5-ext" package (version 0.5.x). This suggests a focus on enhancing or extending ECMAScript 5 functionalities within the Node.js environment. Given its age and singular dependency, developers should anticipate that this version provides foundational tools, potentially dealing with common JavaScript shortcomings or offering convenience methods for working with data structures and object manipulation compatible with older JavaScript engines .
The absence of specified devDependencies implies that tooling like linters or testing frameworks were either not integral to the development process at this stage or were managed externally. Its repository location on GitHub under the medikoo/node-ext organization reveals its origin as a part of a broader collection of Node.js extensions.
The provided data lacks specifics on the immediately preceding stable version. Thus, developers considering adopting next@0.1.0 should be aware that it's an extremely early release with minimal dependencies. The current state of the ecosystem implies a version gap between this and current releases might cause compatibility risk. The value of this version lies fundamentally in potentially fulfilling particular use-cases where minimal dependencies are key. If a user requires an older version this is an option.
All the vulnerabilities related to the version 0.1.0 of the package
Directory Traversal in Next.js
serverless targetnext exportWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
https://github.com/zeit/next.js/releases/tag/v9.3.2
https://github.com/zeit/next.js/releases/tag/v9.3.2
Next.js Race Condition to Cache Poisoning
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.
More details at Vercel Changelog
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog