Tim Neutkens

**Name of the Vulnerable Software and Affected Versions** Next.js versions 15.2.0 through 15.5.17 Next.js versions 16.0.0 through 16.2.5 **Description** A flaw exists where a previous security fix was not correctly applied to `middleware.ts` when used in conjunction with Turbopack, a high-performance incremental bundler for JavaScript and TypeScript. **Recommendations** Update to version 15.5.18. Update to version 16.2.6.

**Name of the Vulnerable Software and Affected Versions** Next.js versions 15.2.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4 **Description** App Router applications using middleware or proxy-based authorization checks may allow unauthorized access via transport-specific route variants used for segment prefetching. Specially crafted `.rsc` and segment-prefetch URLs can resolve to the same page without triggering the intended middleware rule, enabling access to protected content without authorization checks. **Recommendations** Update to version 15.5.16. Update to version 16.2.5. Enforce authorization in the underlying route or page logic instead of relying solely on middleware.

**Name of the Vulnerable Software and Affected Versions** Next.js versions prior to 15.5.16 Next.js versions prior to 16.2.5 **Description** Applications utilizing Partial Prerendering via the Cache Components feature are susceptible to connection exhaustion. A crafted POST request to a server action can trigger a request-body handling deadlock. This state keeps connections open for an extended period, consuming file descriptors and server capacity, which may result in a denial of service for legitimate users. **Recommendations** Update to version 15.5.16. Update to version 16.2.5. As a temporary workaround, block requests at the edge that contain the `Next-Resume` header.

**Name of the Vulnerable Software and Affected Versions** Next.js versions 13.4.13 through 15.5.15 Next.js versions 16.0.0 through 16.2.4 **Description** Self-hosted applications using the built-in Node.js server are subject to server-side request forgery (SSRF), a condition where an attacker forces a server to make requests to an unintended location. Unauthenticated remote attackers can use crafted absolute-form HTTP requests containing `Upgrade: websocket` headers to force the server to proxy requests to arbitrary internal or external destinations. This can expose internal services, admin panels, private APIs, and cloud metadata endpoints (such as 169.254.169.254), potentially leading to the theft of cloud credentials, API keys, and secrets. Approximately 79,000 instances are estimated to be exposed on Shodan. Vercel-hosted deployments are not affected. **Recommendations** For versions 13.4.13 through 15.5.15, upgrade to version 15.5.16. For versions 16.0.0 through 16.2.4, upgrade to version 16.2.5. As a temporary workaround, block WebSocket upgrades at the reverse proxy or load balancer if they are not required. Restrict origin egress to internal networks and metadata services where possible. Avoid exposing the origin server directly to untrusted networks.