Change8

v16.2.6

📦 next-jsView on GitHub →
🐛 12 fixes

Summary

This release primarily focuses on addressing numerous high, moderate, and low-severity security vulnerabilities across Server Components, Middleware, Caching, and Image Optimization. Users are strongly encouraged to update immediately to patch these critical issues.

🐛 Bug Fixes

  • Addressed Denial of Service vulnerability related to Server Components ([GHSA-8h8q-6873-q5fj]).
  • Fixed Middleware/Proxy bypass issues in App Router applications via segment-prefetch routes ([GHSA-267c-6grr-h53f], [GHSA-26hh-7cqf-hhc6]).
  • Mitigated Denial of Service via connection exhaustion in applications using Cache Components ([GHSA-mg66-mrh9-m8jx]).
  • Resolved Middleware/Proxy bypass through dynamic route parameter injection ([GHSA-492v-c6pp-mqqv]).
  • Fixed Server-side request forgery in applications using WebSocket upgrades ([GHSA-c4j6-fc7j-m34r]).
  • Addressed Middleware/Proxy bypass in Pages Router applications using i18n ([GHSA-36qx-fr4f-26g5]).
  • Fixed Cross-site scripting vulnerability in App Router applications using CSP nonces ([GHSA-ffhc-5mcf-pf4q]).
  • Resolved Cross-site scripting in beforeInteractive scripts with untrusted input ([GHSA-gx5p-jg67-6x7h]).
  • Fixed Denial of Service in the Image Optimization API ([GHSA-h64f-5h5j-jqjh]).
  • Addressed Cache poisoning in React Server Component responses ([GHSA-wfc6-r584-vfw7]).
  • Fixed Cache poisoning via collisions in React Server Component cache-busting ([GHSA-vfv6-92ff-j949]).
  • Resolved Middleware/Proxy redirects cache poisoning vulnerability ([GHSA-3g8h-86w9-wvmq]).