Next.js 15.3.5 offers subtle refinements over its predecessor, 15.3.4, primarily focused on internal package versions and dependency updates. While the core functionality remains consistent, developers upgrading should note potential minor compatibility implications arising from these changes. Both versions represent a powerful React framework, streamlining the creation of performant web applications with features like server-side rendering, static site generation, and a robust routing system.
Key dependencies such as @next/env, @next/swc, and @next/font have been bumped, ensuring access to the latest bug fixes and performance enhancements within the Next.js ecosystem. The @next/swc version increase means potential improvements in JavaScript compilation speed, a critical factor for development velocity. Furthermore, the comprehensive suite of development tools, including Storybook, webpack, and various Babel plugins, remains extensive, empowering developers with a modern and versatile development experience. Noticeable that the number of bytes after being unpacked increased in ~50MB from one version to the next in the last one, which may mean a performance change or a new feature added.
Developers should thoroughly examine their project's dependency tree and test their applications after upgrading to ensure seamless integration with the updated package versions in 15.3.5. Although the changes are incremental, staying current with the latest releases allows developers to leverage the ongoing improvements and refinements made to the Next.js framework, ultimately resulting in more efficient and reliable web development workflows.
All the vulnerabilities related to the version 15.3.5 of the package
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.
All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
More details at Vercel Changelog
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.
All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.
More details at Vercel Changelog
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.
All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
More details at Vercel Changelog
