Skip to content

Update dependency next to v16.2.6 [SECURITY]#194

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-next-vulnerability
Open

Update dependency next to v16.2.6 [SECURITY]#194
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-next-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
next (source) 16.1.716.2.6 age confidence

Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

CVE-2026-44573 / GHSA-36qx-fr4f-26g5

More information

Details

Impact

Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.

Fix

The matcher logic was updated to perform the same match as it would on a non-i18n data route.

Workarounds

If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes

CVE-2026-44575 / GHSA-267c-6grr-h53f

More information

Details

Impact

App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.

Fix

We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL.

Workarounds

If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

CVE-2026-44580 / GHSA-gx5p-jg67-6x7h

More information

Details

Impact

Applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser.

Fix

We now HTML-escape serialized beforeInteractive script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary.

Workarounds

If you cannot upgrade immediately, do not pass untrusted data into beforeInteractive scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js vulnerable to cache poisoning in React Server Component responses

CVE-2026-44576 / GHSA-wfc6-r584-vfw7

More information

Details

Impact

Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML.

Fix

We now validate and interpret RSC request headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL.

Workarounds

If you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors Vary, or disable shared caching for affected App Router and RSC responses.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

CVE-2026-45109 / GHSA-26hh-7cqf-hhc6

More information

Details

Impact

It was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. Refer to CVE-2026-44575 for further details.

References

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Next.js has a Middleware / Proxy bypass through dynamic route parameter injection

CVE-2026-44574 / GHSA-492v-c6pp-mqqv

More information

Details

Impact

Applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visible path unchanged, which can allow protected content to be rendered without passing the expected middleware check.

Fix

We now only honor internal route-parameter normalization in trusted routing flows and ignore externally supplied parameter encodings that should never have been accepted from ordinary requests.

Workarounds

If you cannot upgrade immediately, enforce authorization in route or page logic instead of relying solely on middleware path matching.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

vercel/next.js (next)

v16.2.6

Compare Source

v16.2.5

Compare Source

v16.2.4

Compare Source

v16.2.3

Compare Source

v16.2.2

Compare Source

v16.2.1

Compare Source

v16.2.0

Compare Source


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the maintenance Housekeeping label May 12, 2026
@renovate renovate Bot enabled auto-merge (squash) May 12, 2026 19:45
@pkg-pr-new

pkg-pr-new Bot commented May 12, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/@croct/plug-next@194

commit: c81e2c9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

maintenance Housekeeping

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants