Next.js 15.3.2 represents a minor iteration over the preceding 15.3.1 release, building upon the solid foundation of the React framework. While the core functionalities remain largely consistent, a deep dive into the package manifests reveals subtle yet significant updates. Both versions share a common dependency backbone, leveraging tools like busboy, postcss, @next/env, styled-jsx, and @swc/helpers to construct the framework's core. The development dependencies are also very similar with tools like webpack, typescript, storybook and testing utils.
The @next/swc packages that are rust-based replacements for babel got an update from version 15.3.1 to 15.3.2. React, React-dom and babel-plugin-react-compiler didn't get any upgrades
The optional dependencies for platform-specific builds of swc (@next/swc-darwin-x64, @next/swc-darwin-arm64, etc.) were also incremented from 15.3.1 to 15.3.2, pointing to targeted improvements in the framework's compatibility and performance across diverse operating systems and architectures.
Developers considering an upgrade from 15.3.1 to 15.3.2 should note these incremental changes, with a focus on enhanced stability and compatibility offered by the updated swc binaries. These improvements ultimately allow developers to create robust and performant React applications. Both versions support React 18 and 19.
All the vulnerabilities related to the version 15.3.2 of the package
Next.js has a Cache poisoning vulnerability due to omission of the Vary header
A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.
Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.
More details: CVE-2025-49005
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.
All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
More details at Vercel Changelog
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.
More details at Vercel Changelog
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog
