Next.js 15.3.1 is a minor release following the 15.3.0 version of the popular React framework. Both versions share a similar core architecture, focusing on performance, developer experience, and optimized web development. A key difference lies in the updated release date, with 15.3.1 released on April 17, 2025, and 15.3.0 released on April 9, 2025, suggesting bug fixes or minor enhancements.
Both depend on the same versions of core dependencies like busboy, postcss, @next/env, and styled-jsx. Similarly, their development dependencies, including essential tools like webpack, typescript, storybook, and @babel packages, are consistent across both versions. This indicates a stable development environment and suggests a focus on incremental improvements rather than extensive overhauls.
The optional dependencies, which include platform-specific @next/swc binaries and sharp for image optimization, remain largely the same in terms of range and purpose. This consistency ensures that the build process and optimized features are accessible across different operating systems. One notable difference lies on "releaseDate" and "unpackedSize" that are both different between the 2 versions. So, even if it seems like a very small update, it includes some different code from the previous version.
Developers will find that upgrading from 15.3.0 to 15.3.1 should be relatively seamless, particularly since the core dependencies and development environment remain consistent. The updated release date of 15.3.1 signals that it likely incorporates bug fixes or minor improvements that enhance stability, security, or performance. Consequently, it is generally recommended to upgrade to the latest patch version to benefit from these enhancements.
All the vulnerabilities related to the version 15.3.1 of the package
Next.js has a Cache poisoning vulnerability due to omission of the Vary header
A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.
Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.
More details: CVE-2025-49005
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.
All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
More details at Vercel Changelog
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.
More details at Vercel Changelog
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog
