Next version 0.2.7 is a minor update to the Node.js extensions library, building upon the foundation laid by version 0.2.6. Both versions, authored by Mariusz Nowak and maintained on GitHub, provide useful tools for extending Node.js functionality. Key dependencies like es5-ext (version 0.7.x) and deferred (version 0.4.x) remain consistent, ensuring compatibility and a familiar development experience for those already using the library. The tad (version 0.1.x) dev dependency highlights the focus on testing and code quality.
The primary difference between the two versions lies in their release date, with version 0.2.7 being published on January 22, 2012, approximately a day after version 0.2.6 (released on January 21, 2012). This suggests that 0.2.7 is likely a bug fix or minor improvement release addressing any immediate issues identified in the previous version.
For developers considering using the next package, it's a lightweight solution for extending Node.js. The library is available through npm, and its source code can be accessed on GitHub, promoting transparency and community contributions. While the specific changes introduced in version 0.2.7 are not explicitly detailed in the provided data, choosing the latest version ensures that they get the benefit of any fixes or optimizations as well as the most up-to-date and stable experience. This is a stable and mature library.
All the vulnerabilities related to the version 0.2.7 of the package
Directory Traversal in Next.js
serverless targetnext exportWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
https://github.com/zeit/next.js/releases/tag/v9.3.2
https://github.com/zeit/next.js/releases/tag/v9.3.2
Next.js Race Condition to Cache Poisoning
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.
More details at Vercel Changelog
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog