Next versions 0.3.0 and 0.3.1 represent minor iterations of a deprecated Node.js extensions library, primarily offering utility functions extending JavaScript's capabilities. Both versions, authored by Mariusz Nowak and maintained at Medikoo, are designed to enhance Node.js development workflows. Key areas covered typically involve asynchronous task management and function memoization, vital for optimizing performance in Node.js applications.
The core functionality in both versions centers around extending built-in JavaScript objects with commonly needed methods. Specifically, the library utilizes "es5-ext" for augmenting ECMAScript 5 features, "deferred" for advanced promise management, and "memoizee" for efficient function result caching. Developers leverage these tools to write cleaner, more performant code, particularly where asynchronous operations and repetitive calculations are involved.
Examining the provided data hints at slight variations; though the dependency specifications appear identical (es5-ext: "0.9.x", deferred: "0.6.x", memoizee: "~0.2.2", tad: "0.1.x"), the crucial difference lies in the release dates. Version 0.3.1 was released on October 11, 2012, a week after version 0.3.0, released on October 4, 2012. This suggests that 0.3.1 likely contains bug fixes or minor improvements over 0.3.0, although the metadata provides no explicit details. For developers picking between the two (though the library is deprecated), 0.3.1 would be the slightly preferred option due to the likely inclusion of patches. The Git repository remains the central hub for the project.
All the vulnerabilities related to the version 0.3.1 of the package
Directory Traversal in Next.js
serverless targetnext exportWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
https://github.com/zeit/next.js/releases/tag/v9.3.2
https://github.com/zeit/next.js/releases/tag/v9.3.2
Next.js Race Condition to Cache Poisoning
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.
More details at Vercel Changelog
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog