Skip to content

chore(deps): update dependency next to v15.5.13 [security]#1685

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-next-vulnerability
Mar 20, 2026
Merged

chore(deps): update dependency next to v15.5.13 [security]#1685
renovate[bot] merged 1 commit intomainfrom
renovate/npm-next-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 18, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
next (source) 15.5.1015.5.13 age confidence

GitHub Vulnerability Alerts

CVE-2026-29057

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

Patches

The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path.

Workarounds

If upgrade is not immediately possible:

  • Block chunked DELETE/OPTIONS requests on rewritten routes at your edge/proxy.
  • Enforce authentication/authorization on backend routes per our security guidance.

Release Notes

vercel/next.js (next)

v15.5.13

Compare Source

v15.5.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

  • fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes
  • Tracing: Fix memory leak in span map (#​85529)
  • fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#​89134)
  • Turbopack: fix NFT tracing of sharp 0.34 (#​82340)
  • Turbopack: support pattern into exports field (#​82757)
  • NFT tracing fixes (#​84155 and #​85323)
  • Turbopack: validate CSS without computing all paths (#​83810)
  • feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#​89129)
Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch 7 times, most recently from 3cb8fcc to b0b4996 Compare March 19, 2026 16:53
@renovate renovate Bot force-pushed the renovate/npm-next-vulnerability branch from b0b4996 to bbe4428 Compare March 19, 2026 21:26
@renovate renovate Bot changed the title fix(deps): update dependency next to v16 [security] chore(deps): update dependency next to v15.5.13 [security] Mar 19, 2026
@renovate renovate Bot merged commit d755af0 into main Mar 20, 2026
7 checks passed
@renovate renovate Bot deleted the renovate/npm-next-vulnerability branch March 20, 2026 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants