Next version 0.4.0 introduces updates and refinements over its predecessor, version 0.3.3, targeting Node.js developers seeking enhanced utility extensions. Both versions share the same core purpose: providing utility extensions for Node.js. However, key differences emerge in their dependencies and author email.
Version 0.4.0 upgrades its dependencies, pulling in newer versions of crucial packages. Specifically, es5-ext moves from "~0.9.2" to "~0.10.2", deferred transitions from "~0.6.5" to "0.7.x", and memoizee jumps from "~0.2.5" to "0.3.x". These dependency updates likely bring performance improvements, bug fixes, and potentially new features offered by the updated underlying packages. It's essential for developers upgrading to version 0.4.0 to review the changelogs of es5-ext, deferred, and memoizee to understand the implications of these updates.
The devDependencies also see an update, with tad moving from "~0.1.16" to "~0.1.21", which is important for contributors or developers interested in running the package's tests. Notably, the author's email also changes in version 0.4.0, suggesting a shift in maintenance or contact details. Considering the packages are deprecated, understanding the underlying impact of these changes might be negligable, but they can still improve performance and solve bugs.
All the vulnerabilities related to the version 0.4.0 of the package
Directory Traversal in Next.js
serverless targetnext exportWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
https://github.com/zeit/next.js/releases/tag/v9.3.2
https://github.com/zeit/next.js/releases/tag/v9.3.2
Next.js Race Condition to Cache Poisoning
Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.
Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.
More details at Vercel Changelog
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog