Content-Length: 383247 | pFad | http://vercel.com/changelog

Changelog - Vercel

  • CVE-2025-57822

    Summary

    A vulnerability affecting Next.js Middleware has been addressed. It impacted versions prior to v14.2.32 and v15.4.7, and involved a Server-Side Request Forgery (SSRF) risk introduced by misconfigured usage of the NextResponse.next() function within middleware. Applications that reflected a user's request headers in this function, rather than passing them through the request object, could unintentionally allow the server to issue requests to attacker-controlled destinations.

    A patch applied on August 25th, 2025 eliminated exposure for Vercel customers running the affected versions.

    Impact

    In affected configurations, an attacker could:

    • Influence the destination of internal requests triggered by middleware routing logic

    • Perform SSRF against internal infrastructure if user-controlled headers (e.g.,

      Location) were forwarded or interpreted without validation

    • Potentially access sensitive internal resources or services unintentionally exposed via internal redirect behavior

    This issue is exploitable in self-hosted deployments where developers use custom middleware logic and do not adhere to documented usage of NextResponse.next({ request }). It is not exploitable on Vercel infrastructure, which isolates and protects internal request behavior.

    Resolution

    The issue was resolved by updating the internal middleware logic to prevent unsafe fallback behavior when request is omitted from the next() call. This ensures the origen server behavior cannot be unintentionally altered by user-supplied headers or misrouted requests.

    Fix available in:

    • Next.js v14.2.32

    • Next.js v15.4.7

    Workarounds

    For users who cannot upgrade immediately:

    • Ensure middleware follows official guidance: Use NextResponse.next({ request })to explicitly pass the request object

    • Avoid forwarding user-controlled headers to downstream systems without validation

    • Ensure headers that should never be sent from client to server are not reflected back to the client via NextResponse.next, such as Location.

    Credit

    Thanks to Nicolas Lamoureux (github.com/nicolas-latacora) and the Latacora team for their responsible disclosure.

    References

    +2

    Aaron B, Zack T, Shohei M, Luba K

  • CVE-2025-55173

    Summary

    A vulnerability affecting Next.js Image Optimization has been addressed. It impacted versions prior to v15.4.5 and v14.2.31, and involved a scenario where attacker-controlled external image servers could serve crafted responses that result in arbitrary file downloads with attacker-defined filenames and content.

    A patch applied on July 29th, 2025 eliminated exposure for Vercel customers running the affected versions.

    Impact

    Under certain configurations (images.domains or permissive images.remotePatterns), a malicious actor could:

    • Trigger the download of a file from a Next.js app with attacker-controlled content and filename

    • Exploit this behavior for phishing, drive-by downloads, or social engineering scenarios

    This issue requires that:

    • The target app has external image domains or patterns configured

    • The remote server is attacker-controlled or attacker-influenced

    • A user is tricked into clicking a crafted URL

    Resolution

    The issue was resolved by updating the image optimizer logic to avoid falling back to the upstream’s Content-Type header when magic number detection fails. This ensures that responses are only cached when confidently identified as image content and do not mistakenly reuse cache keys for user-specific responses.

    The fix was included in:

    • Next.js v15.4.5

    • Next.js v14.2.31

    Credit

    Thanks to kristianmagas for the responsible disclosure.

    References

    Aaron Brown, Steven Salat, Zack Tanner

  • CVE-2025-57752

    Summary

    A vulnerability affecting Next.js Image Optimization has been addressed. It impacted versions prior to v15.4.5 and v14.2.31, and involved a cache poisoning issue that caused sensitive image responses from API routes to be cached and subsequently served to unauthorized users.

    Vercel deployments were never impacted by this vulnerability.

    Impact

    When API routes are used to return image content that varies based on headers (e.g., Cookie, Authorization), and those images are passed through Next.js Image Optimization, the optimized image may be cached without including those request headers as part of the cache key. This can lead to:

    • Unauthorized disclosure of user-specific or protected image content

    • Cross-user leakage of conditional content via CDN or internal cache

    This issue arises without user interaction and requires no elevated privileges, only a prior authorized request to populate the cache.

    Resolution

    The issue was resolved by ensuring request headers aren’t forwarded to the request that is proxied to the image endpoint. This ensures that the image endpoint cannot be used to serve images that require authorization data and thus cannot be cached.

    Fix available in:

    • Next.js v15.4.5

    • Next.js v14.2.31

    Credit

    Thanks to reddounsf for the responsible disclosure.

    References

    Aaron Brown, Steven Salat, Zack Tanner

Ready to deploy? Start building with a free account. Speak to an expert for your Pro or Enterprise needs.

Start Deploying
Talk to an Expert

Explore Vercel Enterprise with an interactive product tour, trial, or a personalized demo.

Explore Enterprise








 ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://vercel.com/changelog

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy