Skip to content

Commit a9a9d87

Browse files
renovate[bot]renovate[bot]
authored
fix(deps): update dependency next to v14.2.32 [security] (#1226)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [next](https://nextjs.org) ([source](https://redirect.github.com/vercel/next.js)) | [`14.2.30` -> `14.2.32`](https://renovatebot.com/diffs/npm/next/14.2.30/14.2.32) | [![age](https://developer.mend.io/api/mc/badges/age/npm/next/14.2.32?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/next/14.2.30/14.2.32?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-55173](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v) A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173) #### [CVE-2025-57822](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f) A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822) #### [CVE-2025-57752](https://redirect.github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v) A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752) --- ### Release Notes <details> <summary>vercel/next.js (next)</summary> ### [`v14.2.32`](https://redirect.github.com/vercel/next.js/compare/v14.2.31...v14.2.32) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.31...v14.2.32) ### [`v14.2.31`](https://redirect.github.com/vercel/next.js/releases/tag/v14.2.31) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v14.2.30...v14.2.31) > \[!NOTE]\ > This release is backporting bug fixes. It does **not** include all pending features/changes on canary. ##### Core Changes - fix(next/image): improve and simplify detect-content-type ([#&#8203;82179](https://redirect.github.com/vercel/next.js/issues/82179)) - fix(next/image): fix image-optimizer.ts headers ([#&#8203;82178](https://redirect.github.com/vercel/next.js/issues/82178)) ##### Credits Huge thanks to [@&#8203;styfle](https://redirect.github.com/styfle) and [@&#8203;ztanner](https://redirect.github.com/ztanner) for helping! </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/huv1k/website). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS45MS4xIiwidXBkYXRlZEluVmVyIjoiNDEuOTEuMSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent 488e175 commit a9a9d87

File tree

2 files changed

+56
-56
lines changed

2 files changed

+56
-56
lines changed

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@
4242
"graphql": "16.10.0",
4343
"graphql-yoga": "5.12.0",
4444
"gray-matter": "4.0.3",
45-
"next": "14.2.30",
45+
"next": "14.2.32",
4646
"next-contentlayer": "0.3.4",
4747
"next-seo": "6.6.0",
4848
"nexus": "1.3.0",

pnpm-lock.yaml

Lines changed: 55 additions & 55 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)