Change8

v15.5.18

📦 next-jsView on GitHub →
🐛 12 fixes🔧 7 symbols

Summary

This release primarily focuses on applying critical security fixes across various components, including Server Components, Middleware, and the Image Optimization API, addressing multiple high and moderate severity advisories.

🐛 Bug Fixes

  • Addressed Denial of Service vulnerability related to Server Components.
  • Fixed Middleware / Proxy bypass issues in App Router applications via segment-prefetch routes (including follow-up fix).
  • Mitigated Denial of Service via connection exhaustion in applications using Cache Components.
  • Fixed Middleware / Proxy bypass through dynamic route parameter injection.
  • Resolved Server-side request forgery in applications using WebSocket upgrades.
  • Fixed Middleware / Proxy bypass in Pages Router applications using i18n.
  • Addressed Cross-site scripting vulnerabilities in App Router applications using CSP nonces.
  • Fixed Cross-site scripting in beforeInteractive scripts when using untrusted input.
  • Addressed Denial of Service in the Image Optimization API.
  • Fixed Cache poisoning in React Server Component responses.
  • Fixed Cache poisoning via collisions in React Server Component cache-busting.
  • Resolved issues where Middleware / Proxy redirects could be cache-poisoned.

Affected Symbols

Server ComponentsMiddlewareApp RouterPages RouterImage Optimization APIReact Server Component responsesWebSocket upgrades