Tanner

**Name of the Vulnerable Software and Affected Versions** Next.js versions 16.0.1 through 16.1.7 **Description** Next.js, a React framework for building full-stack web applications, had a flaw in its Server Action CSRF validation. Specifically, `origin: null` was incorrectly treated as a missing origin, allowing requests from opaque contexts like sandboxed iframes to bypass origin verification. This could enable an attacker to induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions using the victim's credentials, leading to a Cross-Site Request Forgery (CSRF) attack. The issue was addressed by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. The API endpoint is susceptible to this issue when processing Server Actions. The vulnerable parameter is `origin`, which when set to `null`, bypasses the CSRF validation. **Recommendations** Next.js versions prior to 16.1.7 should be upgraded to version 16.1.7 or later. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions. Prefer `SameSite=Strict` on sensitive authentication cookies. Do not allow `'null'` in `experimental.serverActions.allowedOrigins` unless intentionally required and additionally protected.

**Name of the Vulnerable Software and Affected Versions** Next.js versions 9.5.0 through 15.5.13 and 16.1.7 **Description** Next.js, a React framework, is affected by an issue where crafted `DELETE`/`OPTIONS` requests using `Transfer-Encoding: chunked` can cause request boundary disagreement between a proxy and backend when Next.js rewrites proxy traffic to an external backend. This can lead to request smuggling through rewritten routes. An attacker could potentially smuggle a second request to unintended backend routes, such as internal or admin endpoints, bypassing access controls. This does not impact applications hosted on providers that handle rewrites at the Content Delivery Network (CDN) level, like Vercel. The root cause of the issue is in an upstream library used by Next.js. The issue occurs when a request is rewritten, and the proxy and backend disagree on where the request boundaries are located. The `Transfer-Encoding: chunked` header is used to send data in a series of chunks, and the vulnerability arises when the proxy and backend interpret these chunks differently. The affected API endpoints are `/` and any routes that are rewritten. The vulnerable parameters are those included in the `DELETE` and `OPTIONS` requests, specifically the `Transfer-Encoding` header with a value of `chunked`. **Recommendations** Update Next.js to version 15.5.13 or 16.1.7. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy. Enforce authentication/authorization on backend routes.

**Name of the Vulnerable Software and Affected Versions** Next.js versions 10.0.0 through 16.1.6 **Description** Next.js, a React framework for building full-stack web applications, had an issue where the default image optimization disk cache (`/ next/image`) lacked a configurable upper bound, leading to unbounded cache growth. An attacker could exploit this by generating numerous unique image optimization variants, potentially exhausting disk space and causing a denial of service. The issue does not impact platforms with their own image optimization capabilities. The affected component is the image optimization disk cache. The vulnerable parameters include `images.localPatterns`, `images.remotePatterns`, and `images.qualities`, which control variant cardinality. **Recommendations** Next.js versions prior to 16.1.7 should be upgraded to version 16.1.7. If upgrading is not immediately possible, periodically clean the `.next/cache/images` directory. As an alternative, reduce variant cardinality by tightening the values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`. Setting `images.maximumDiskCacheSize: 0` disables disk caching.