Next version 0.3.2, released on August 8, 2013, represents an incremental update to the 0.3.1 version released on October 11, 2012 of this deprecated Node.js extensions library. Both versions share the same core purpose: providing extensions for Node.js. Key dependencies like es5-ext, deferred, and memoizee are present in both, indicating a continuity in functionality. However, there are notable shifts in dependency version constraints.
Version 0.3.2 tightens the version specifications for es5-ext to ~0.9.2, deferred to ~0.6.5, and memoizee to ~0.2.5. While version 0.3.1 uses broader ranges like 0.9.x for es5-ext, 0.6.x for deferred, and ~0.2.2 for memoizee. These tighter constraints in 0.3.2 suggest a focus on stability and explicitly tested compatibility with specific dependency versions. This could be important for developers seeking predictable behavior and avoiding potential conflicts arising from automatic updates to newer, possibly incompatible, dependency versions. The tad devDependency also sees a similar version tightening, moving from 0.1.x in 0.3.1 to ~0.1.16 in 0.3.2.
The change in versions indicates bug fixes, optimizations, or adaptations made to align with the specific versions of its dependencies. Developers using Next should carefully evaluate these dependency version changes, especially if they rely on specific features or behaviors in these libraries. Since the library is marked as deprecated, it is worth considering alternatives.
All the vulnerabilities related to the version 0.3.2 of the package
Directory Traversal in Next.js
serverless targetnext exportWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
https://github.com/zeit/next.js/releases/tag/v9.3.2
https://github.com/zeit/next.js/releases/tag/v9.3.2
Next.js Race Condition to Cache Poisoning
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.
More details at Vercel Changelog
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog