fix(deps): vuln next (major → 16.2.4) [website]

[gh-worker-campaigns-3e9aa4]

Summary: Critical-severity security update — 1 package upgraded (MAJOR changes included)

Manifests changed:

• website (npm)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
next	14.0.4	16.2.4	major	Direct	2 CRITICAL, 10 HIGH, 16 MODERATE, 4 LOW

---

Warning

Major Version Upgrade

This update includes major version changes that may contain breaking changes. Please:

• Review the changelog/release notes for breaking changes
• Test thoroughly in a staging environment
• Update any code that depends on changed APIs
• Ensure all tests pass before merging

Security Details

🚨 Critical & High Severity (12 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
next	GHSA-f82v-jwr5-mffw	CRITICAL	Authorization Bypass in Next.js Middleware	14.0.4	13.5.9
next	CVE-2025-29927	CRITICAL	Authorization Bypass in Next.js Middleware	14.0.4	-
next	GHSA-fr5h-rqp8-mj6g	HIGH	Next.js Server-Side Request Forgery in Server Actions	14.0.4	14.1.1
next	GHSA-mwv6-3258-q52c	HIGH	Next Vulnerable to Denial of Service with Server Components	14.0.4	14.2.34
next	GHSA-5j59-xgg2-r9c4	HIGH	Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up	14.0.4	14.2.35
next	CVE-2024-51479	HIGH	Authorization bypass in Next.js	14.0.4	-
next	GHSA-gp8f-8m3g-qvj9	HIGH	Next.js Cache Poisoning	14.0.4	13.5.7
next	CVE-2024-46982	HIGH	Cache Poisoning in next.js	14.0.4	-
next	GHSA-h25m-26qc-wcjf	HIGH	Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components	14.0.4	15.0.8
next	GHSA-q4gf-8mx6-v5v3	HIGH	Next.js has a Denial of Service with Server Components	14.0.4	15.5.15
next	GHSA-7gfc-8cq8-jh5f	HIGH	Next.js authorization bypass vulnerability	14.0.4	14.2.15
next	CVE-2024-34351	HIGH	Next.js Server-Side Request Forgery in Server Actions	14.0.4	-

ℹ️ Other Vulnerabilities (20)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
next	GHSA-7m27-7ghc-44w9	MODERATE	Next.js Allows a Denial of Service (DoS) with Server Actions	14.0.4	13.5.8
next	CVE-2025-57822	MODERATE	Next.js Improper Middleware Redirect Handling Leads to SSRF	14.0.4	-
next	CVE-2025-57752	MODERATE	Next.js Affected by Cache Key Confusion for Image Optimization API Routes	14.0.4	-
next	GHSA-g5qg-72qw-gw5v	MODERATE	Next.js Affected by Cache Key Confusion for Image Optimization API Routes	14.0.4	14.2.31
next	GHSA-ggv3-7p47-pfv8	MODERATE	Next.js: HTTP request smuggling in rewrites	14.0.4	16.1.7
next	CVE-2024-56332	MODERATE	Next.js Vulnerable to Denial of Service (DoS) with Server Actions	14.0.4	-
next	GHSA-9g9p-9gw9-jx7f	MODERATE	Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration	14.0.4	15.5.10
next	CVE-2025-59471	MODERATE	-	14.0.4	-
next	GHSA-g77x-44xx-532m	MODERATE	Denial of Service condition in Next.js image optimization	14.0.4	14.2.7
next	CVE-2024-47831	MODERATE	Next.js image optimization has Denial of Service condition	14.0.4	-
next	GHSA-4342-x723-ch2f	MODERATE	Next.js Improper Middleware Redirect Handling Leads to SSRF	14.0.4	14.2.32
next	CVE-2025-55173	MODERATE	Next.js Content Injection Vulnerability for Image Optimization	14.0.4	-
next	CVE-2026-27980	MODERATE	Next.js: Unbounded next/image disk cache growth can exhaust storage	14.0.4	-
next	GHSA-3x4c-7xq6-9pq8	MODERATE	Next.js: Unbounded next/image disk cache growth can exhaust storage	14.0.4	16.1.7
next	GHSA-xv57-4mr9-wg8v	MODERATE	Next.js Content Injection Vulnerability for Image Optimization	14.0.4	14.2.31
next	CVE-2026-29057	MODERATE	Next.js: HTTP request smuggling in rewrites	14.0.4	-
next	CVE-2025-48068	LOW	Information exposure in Next.js dev server due to lack of origin verification	14.0.4	-
next	GHSA-3h52-269p-cp9r	LOW	Information exposure in Next.js dev server due to lack of origin verification	14.0.4	15.2.2
next	CVE-2025-32421	LOW	Next.js Race Condition to Cache Poisoning	14.0.4	-
next	GHSA-qpjv-v59x-3qc4	LOW	Next.js Race Condition to Cache Poisoning	14.0.4	14.2.24

---

Review Checklist

Extra review is recommended for this update:

• Review changes for compatibility with your code
• Check release notes for breaking changes
• Run integration tests to verify service behavior
• Test in staging environment before production
• Monitor key metrics after deployment
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation (Critical/High)

🤖 Generated by DataDog Automated Dependency Management System

[campaigner-prod]

Release Notes

next (14.0.4 → 16.2.4) — GitHub Release

v16.2.1-canary.46

Core Changes

• Support type cast expressions in page static info extractor: Support type cast expressions in page static info extractor vercel/next.js#92837
• Fix dev mode hydration failure when page is served from HTTP cache: Fix dev mode hydration failure when page is served from HTTP cache vercel/next.js#92892
• [devtools] Preserve full code frames in browser overlay: [devtools] Preserve full code frames in browser overlay vercel/next.js#92621
• Enable prefetchInlining by default: Enable prefetchInlining by default vercel/next.js#92863
• Replace deprecated moduleResolution: "node": Replace deprecated moduleResolution: "node" vercel/next.js#92654

Misc Changes

• turbo-tasks: add info_span for blocking waits during task restore: turbo-tasks: add info_span for blocking waits during task restore vercel/next.js#92878
• Turbopack: Use an async lock in the filesystem watcher: Turbopack: Use an async lock in the filesystem watcher vercel/next.js#92906
• [ci] Skip Playwright system deps install on subsequent self-hosted runs: [ci] Skip Playwright system deps install on subsequent self-hosted runs vercel/next.js#92893
• turbo-tasks: Reduce allocations on cache hits: turbo-tasks: Reduce allocations on cache hits vercel/next.js#92756
• CI: Remove dead yarn support from next-stats-action: CI: Remove dead yarn support from next-stats-action vercel/next.js#92587

Credits

Huge thanks to @mischnic, @sokra, @unstubbable, @aurorascharff, @acdlite, @bgw, @mmastrac, @eps1lon, and @lukesandberg for helping!

v16.2.1-canary.45

Core Changes

• Allow overriding outputHashSalt in modifyConfig: Allow overriding outputHashSalt in modifyConfig vercel/next.js#92856

Misc Changes

• Turbopack: Use lld again on ARM64 glibc Linux: Turbopack: Use lld again on ARM64 glibc Linux vercel/next.js#92860
• [ci]: add workflow to bump canary after backport: [ci]: add workflow to bump canary after backport vercel/next.js#92801
• turbopack: cache TransformPlugin in narrow-scoped turbo-tasks functions: turbopack: cache TransformPlugin in narrow-scoped turbo-tasks functions vercel/next.js#92842

Credits

Huge thanks to @bgw, @ztanner, @sokra, and @mischnic for helping!

v16.2.4

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) vercel/next.js#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (Turbopack: fix filesystem watcher config not applying follow_symlinks(false) vercel/next.js#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) vercel/next.js#92580)
• Compiler: Support boolean and number primtives in next.config defines (Compiler: Support boolean and number primtives in next.config defines vercel/next.js#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation vercel/next.js#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (Turbopack: shorter error for ChunkGroupInfo::get_index_of vercel/next.js#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index vercel/next.js#92828)
• Adding more system info to the 'initialize project' trace (Adding more system info to the 'initialize project' trace vercel/next.js#92427)

Credits

Huge thanks to @Badbird5907, @lukesandberg, @andrewimm, @sokra, and @mischnic for helping!

v16.2.1-canary.44

Core Changes

• fix(trace-server): default MCP port to --port + 1 to avoid conflicts: fix(trace-server): default MCP port to --port + 1 to avoid conflicts vercel/next.js#92831
• Revert "Node.js streams: Add forkpoint for prerenderToStream": Revert "Node.js streams: Add forkpoint for prerenderToStream" vercel/next.js#92845
• Warn for non-deterministic "use cache" args during final prerender: Warn for non-deterministic "use cache" args during final prerender vercel/next.js#92820

Misc Changes

• Share native binaries via GitHub artifacts: Share native binaries via GitHub artifacts vercel/next.js#92758
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index: Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index vercel/next.js#92828
• Turbopack: refactor export analysis: Turbopack: refactor export analysis vercel/next.js#92781
• [ci] Skip sccache on Windows runners: [ci] Skip sccache on Windows runners vercel/next.js#92847
• Turbopack: remove StarImportAnalyzer: Turbopack: remove StarImportAnalyzer vercel/next.js#92830
• Turbopack: analyzer improvement followups: Turbopack: analyzer improvement followups vercel/next.js#92834
• Update Rspack production test manifest: Update Rspack production test manifest vercel/next.js#92674
• Update Rspack development test manifest: Update Rspack development test manifest vercel/next.js#92673
• Turbopack: move assignment_scopes computation into ImportMap: Turbopack: move assignment_scopes computation into ImportMap vercel/next.js#92835
• docs: restructure instant nav guide for clarity: docs: restructure instant nav guide for clarity vercel/next.js#92684
• docs: add documentation for no-typos ESLint rule: docs: add documentation for no-typos ESLint rule vercel/next.js#92809

Credits

Huge thanks to @mmastrac, @sokra, @mischnic, @timneutkens, @vercel-release-bot, @unstubbable, @icyJoseph, and @MukundaKatta for helping!

v16.2.1-canary.43

Core Changes

• webpack: fix swcPlugins with relative paths: webpack: fix swcPlugins with relative paths vercel/next.js#92770
• Node.js streams: Add forkpoint for logMessagesAndSendErrorsToBrowser: Node.js streams: Add forkpoint for logMessagesAndSendErrorsToBrowser vercel/next.js#92510
• Node.js streams: Add forkpoint for createCombinedPayloadStream: Node.js streams: Add forkpoint for createCombinedPayloadStream vercel/next.js#92511
• Node.js streams: Add forkpoint for renderWithRestartOnCacheMissInValidation: Node.js streams: Add forkpoint for renderWithRestartOnCacheMissInValidation vercel/next.js#92512
• Node.js streams: Add forkpoint for prerenderToStream: Node.js streams: Add forkpoint for prerenderToStream vercel/next.js#92513
• Perf: Fast path for trace() when opentelemetry is not enabled: Perf: Fast path for trace() when opentelemetry is not enabled vercel/next.js#92678

Misc Changes

• turbopack: gate ValueDebugFormat and ValueDebug behind debug_assertions: turbopack: gate ValueDebugFormat and ValueDebug behind debug_assertions vercel/next.js#92628
• Add TurboMalloc::thread_park() to flush and collect on thread park: Add TurboMalloc::thread_park() to flush and collect on thread park vercel/next.js#92804
• Stop using deprecated baseUrl: Stop using deprecated baseUrl vercel/next.js#92653
• Turbopack: Use FrozenMap for module export information: Turbopack: Use FrozenMap for module export information vercel/next.js#92802
• pr-status: Show all participants in review thread overview: pr-status: Show all participants in review thread overview vercel/next.js#92730
• docs: draftMode alignment: docs: draftMode alignment vercel/next.js#92794
• Turbopack: remove webpack chunk detection: Turbopack: remove webpack chunk detection vercel/next.js#92773
• Turbopack: refactor ESM codegen generation: Turbopack: refactor ESM codegen generation vercel/next.js#92777
• Fix monorepo @next/swc binary postinstall: Fix monorepo @next/swc binary postinstall vercel/next.js#92813
• Turbopack: shorter error for ChunkGroupInfo::get_index_of: Turbopack: shorter error for ChunkGroupInfo::get_index_of vercel/next.js#92814
• Turbopack: properly set NODE_ENV for SWC plugins: Turbopack: properly set NODE_ENV for SWC plugins vercel/next.js#92579

Credits

Huge thanks to @sokra, @eps1lon, @bgw, @icyJoseph, @mischnic, and @timneutkens for helping!

v16.2.1-canary.42

Core Changes

• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router): Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) vercel/next.js#92580
• Enable wasm plugins on windows arm: Enable wasm plugins on windows arm vercel/next.js#92544
• prefetchInlining: fix build crash on notFound() pages: prefetchInlining: fix build crash on notFound() pages vercel/next.js#92806

Credits

Huge thanks to @lukesandberg and @acdlite for helping!

v16.2.1-canary.41

Misc Changes

• Fix devlow-bench: tsconfig rootDir mismatch with package.json bin: Fix devlow-bench: tsconfig rootDir mismatch with package.json bin vercel/next.js#92800

Credits

Huge thanks to @mmastrac for helping!

v16.2.1-canary.40

Misc Changes

• Fix turbo cache flag: use --force: Fix turbo cache flag: use --force vercel/next.js#92796

Credits

Huge thanks to @mmastrac for helping!

v16.2.1-canary.38

Core Changes

• Ensure x-nextjs-data header is only set during resolve: Ensure x-nextjs-data header is only set during resolve vercel/next.js#92752

Credits

Huge thanks to @ijjk for helping!

v16.2.1-canary.37

Core Changes

• Exclude trace files from directory deletion in builds: Exclude trace files from directory deletion in builds vercel/next.js#92486
• Switch segment prefetch cache miss response from 204 to 404: Switch segment prefetch cache miss response from 204 to 404 vercel/next.js#92751

Misc Changes

• Re-enable sccache: Re-enable sccache vercel/next.js#92746

(truncated — see source for full notes)

---

Generated by ADMS Sources: 1 GitHub Release.

[seberm-6]

Hey, sorry for the noise. This was caused by a bug in our automated dependency update system that incorrectly included upstream changelog content in PR comments, triggering notifications to external contributors. The feature flag has been turned off and we're working on a fix. Sorry about that again.