v15.5.16

📅 May 6, 2026📦 next-jsView on GitHub →

🐛 12 fixes

Summary

This release primarily focuses on addressing multiple security vulnerabilities across Server Components, Middleware, Image Optimization, and caching mechanisms. Users are strongly encouraged to update immediately to mitigate risks.

🐛 Bug Fixes

Addressed High severity vulnerability: Denial of Service with Server Components ([GHSA-8h8q-6873-q5fj]).
Addressed High severity vulnerability: Middleware / Proxy bypass in App Router applications via segment-prefetch routes ([GHSA-267c-6grr-h53f]).
Addressed High severity vulnerability: Denial of Service via connection exhaustion in applications using Cache Components ([GHSA-mg66-mrh9-m8jx]).
Addressed High severity vulnerability: Middleware / Proxy bypass through dynamic route parameter injection ([GHSA-492v-c6pp-mqqv]).
Addressed High severity vulnerability: Server-side request forgery in applications using WebSocket upgrades ([GHSA-c4j6-fc7j-m34r]).
Addressed High severity vulnerability: Middleware / Proxy bypass in Pages Router applications using i18n ([GHSA-36qx-fr4f-26g5]).
Addressed Moderate severity vulnerability: Cross-site scripting in App Router applications using CSP nonces ([GHSA-ffhc-5mcf-pf4q]).
Addressed Moderate severity vulnerability: Cross-site scripting in beforeInteractive scripts with untrusted input ([GHSA-gx5p-jg67-6x7h]).
Addressed Moderate severity vulnerability: Denial of Service in the Image Optimization API ([GHSA-h64f-5h5j-jqjh]).
Addressed Moderate severity vulnerability: Cache poisoning in React Server Component responses ([GHSA-wfc6-r584-vfw7]).
Addressed Low severity vulnerability: Cache poisoning via collisions in React Server Component cache-busting ([GHSA-vfv6-92ff-j949]).
Addressed Low severity vulnerability: Middleware / Proxy redirects can be cache-poisoned ([GHSA-3g8h-86w9-wvmq]).