Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.
Impact
Affected: Users of Next.js between 10.0.5 and 10.2.0
Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js without getInitialProps
Affected: Users of Next.js between 11.0.0 and 11.0.1 using pages/_error.js and next export
Not affected: Deployments on Vercel (vercel.com) are not affected
Not affected: Deployments withpages/404.js
Note that versions prior to 0.9.9 package next npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.
We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
vercel/next.js (next)
### [`v11.1.3`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.3)
[Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.1.2...v11.1.3)
See https://github.com/vercel/next.js/releases/v12.0.5 for details about this patch.
### [`v11.1.2`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.2)
[Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.1.1...v11.1.2)
##### Core Changes
- chore: upgrade styled-jsx to 4.0.1: [#28626](https://redirect.github.com/vercel/next.js/issues/28626)
- getServerSideProps should support props value as Promise: [#28607](https://redirect.github.com/vercel/next.js/issues/28607)
- Ensure custom app regex is correct for Windows: [#28631](https://redirect.github.com/vercel/next.js/issues/28631)
##### Credits
Huge thanks to [@huozhi](https://redirect.github.com/huozhi) and [@kara](https://redirect.github.com/kara) for helping!
### [`v11.1.1`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.1)
[Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.1.0...v11.1.1)
##### Core Changes
- Next.js swc publish flow: [#27984](https://redirect.github.com/vercel/next.js/issues/27984)
- Ensure config file message is only shown once: [#28017](https://redirect.github.com/vercel/next.js/issues/28017)
- Add missing fields to `NextConfig` type: [#27974](https://redirect.github.com/vercel/next.js/issues/27974)
- use a shared worker pool for collecting page data and static page generation: [#27924](https://redirect.github.com/vercel/next.js/issues/27924)
- Use [@next](https://redirect.github.com/next) scope for native packages: [#28046](https://redirect.github.com/vercel/next.js/issues/28046)
- Fix `generateBuildId` type that can be async function: [#28040](https://redirect.github.com/vercel/next.js/issues/28040)
- Fix image optimization encoding url: [#28045](https://redirect.github.com/vercel/next.js/issues/28045)
- Clean up `Document` in preparation for streaming: [#28032](https://redirect.github.com/vercel/next.js/issues/28032)
- Render as a concatenation of streams: [#28082](https://redirect.github.com/vercel/next.js/issues/28082)
- Add support for dynamic HTML: [#28085](https://redirect.github.com/vercel/next.js/issues/28085)
- Support suspense in next dynamic: [#27611](https://redirect.github.com/vercel/next.js/issues/27611)
- Handle blob urls in image component: [#27975](https://redirect.github.com/vercel/next.js/issues/27975)
- Bypass webpack compilation for precompiled [@next/polyfills-nomodule](https://redirect.github.com/next/polyfills-nomodule): [#27596](https://redirect.github.com/vercel/next.js/issues/27596)
- Update `util` to 0.12.4: [#27939](https://redirect.github.com/vercel/next.js/issues/27939)
- Remove duplicate doctypes: [#28089](https://redirect.github.com/vercel/next.js/issues/28089)
- Fix revalidate for initial notFound: true paths: [#28097](https://redirect.github.com/vercel/next.js/issues/28097)
- Add proper error when failing to load next.config.js: [#28099](https://redirect.github.com/vercel/next.js/issues/28099)
- Fix: wrong link error message: [#28127](https://redirect.github.com/vercel/next.js/issues/28127)
- Add support for Jaeger trace target: [#28129](https://redirect.github.com/vercel/next.js/issues/28129)
- Enable pure client suspense in blocking rendering: [#28165](https://redirect.github.com/vercel/next.js/issues/28165)
- Add entrypoint tracing: [#25538](https://redirect.github.com/vercel/next.js/issues/25538)
- Add module type to build-module trace: [#28128](https://redirect.github.com/vercel/next.js/issues/28128)
- Update to latest babel versions: [#28174](https://redirect.github.com/vercel/next.js/issues/28174)
- Improve jaeger traces: [#28168](https://redirect.github.com/vercel/next.js/issues/28168)
- fix development mode bug with pages with "+" and other special characters: [#28122](https://redirect.github.com/vercel/next.js/issues/28122)
- let loaders automatically infer source map setting: [#28204](https://redirect.github.com/vercel/next.js/issues/28204)
- Avoid fs write `next-env.d.ts` on read-only filesystems: [#28206](https://redirect.github.com/vercel/next.js/issues/28206)
- Document usage of suspense option of next/dynamic: [#28210](https://redirect.github.com/vercel/next.js/issues/28210)
- Add warning when parent styles break `next/image`: [#28221](https://redirect.github.com/vercel/next.js/issues/28221)
- Use `zen-observable` library: [#28214](https://redirect.github.com/vercel/next.js/issues/28214)
- Fix HMR when custom \_app or \_document is removed: [#28227](https://redirect.github.com/vercel/next.js/issues/28227)
- Add relationship between issuer and module to traces: [#28192](https://redirect.github.com/vercel/next.js/issues/28192)
- Update generating next-server dependencies: [#28223](https://redirect.github.com/vercel/next.js/issues/28223)
- Fix `next/image` blur placeholder when JS is disabled: [#28269](https://redirect.github.com/vercel/next.js/issues/28269)
- Ensure adding \_app/\_document HMRs correctly: [#28279](https://redirect.github.com/vercel/next.js/issues/28279)
- upgrade webpack to 5.51.1: [#28291](https://redirect.github.com/vercel/next.js/issues/28291)
- \[ESLint] Adds `process.exit` to `next lint` success output: [#28299](https://redirect.github.com/vercel/next.js/issues/28299)
- Fix next env vars injection in dynamic: [#28309](https://redirect.github.com/vercel/next.js/issues/28309)
- Add layout to data-nimg attribute: [#28312](https://redirect.github.com/vercel/next.js/issues/28312)
- Add data attribute to script component: [#28310](https://redirect.github.com/vercel/next.js/issues/28310)
- Ensure [@babel/core](https://redirect.github.com/babel/core) is de-duped when nccing: [#28384](https://redirect.github.com/vercel/next.js/issues/28384)
- Fix forked NODE_OPTIONS except for inspect: [#28420](https://redirect.github.com/vercel/next.js/issues/28420)
- \[ESLint] Enable caching by default: [#28349](https://redirect.github.com/vercel/next.js/issues/28349)
- Update test config to leverage swc: [#28400](https://redirect.github.com/vercel/next.js/issues/28400)
- Add missing `typescript` property to `NextConfig`: [#28459](https://redirect.github.com/vercel/next.js/issues/28459)
- next/script fix duplicate scripts : [#28428](https://redirect.github.com/vercel/next.js/issues/28428)
- Ensure error is shown correctly for empty headers field: [#28430](https://redirect.github.com/vercel/next.js/issues/28430)
- Add default trace format that is exported automatically: [#28461](https://redirect.github.com/vercel/next.js/issues/28461)
- Update i18n locales limit to warning: [#28429](https://redirect.github.com/vercel/next.js/issues/28429)
- Fix handling for 204 status code with a body: [#28479](https://redirect.github.com/vercel/next.js/issues/28479)
- Update warning when parent styles break `next/image`: [#28517](https://redirect.github.com/vercel/next.js/issues/28517)
- Support for functional Document components: [#28515](https://redirect.github.com/vercel/next.js/issues/28515)
- Ensure dev server side errors are correct: [#28520](https://redirect.github.com/vercel/next.js/issues/28520)
- Add CSP to Image Optimization API: [#28620](https://redirect.github.com/vercel/next.js/issues/28620)
##### Documentation Changes
- Fix incorrect error manifest path: [#27970](https://redirect.github.com/vercel/next.js/issues/27970)
- Add testing docs: [#27965](https://redirect.github.com/vercel/next.js/issues/27965)
- \[DOCS] Update testing docs: [#28064](https://redirect.github.com/vercel/next.js/issues/28064)
- \[ESLint] Disallow inside \_document.js & inside the next/head component: [#27257](https://redirect.github.com/vercel/next.js/issues/27257)
- Docs: Mention 3rd option 'blocking' for fallback: [#28077](https://redirect.github.com/vercel/next.js/issues/28077)
- Add a Styling Section to next/image component docs: [#28055](https://redirect.github.com/vercel/next.js/issues/28055)
- Improve React Strict Mode documentation.: [#28139](https://redirect.github.com/vercel/next.js/issues/28139)
- doc: fix typo: [#28146](https://redirect.github.com/vercel/next.js/issues/28146)
- docs: corrected the link to the example: [#28175](https://redirect.github.com/vercel/next.js/issues/28175)
- ESLint Plugin: Prefer next script component when using the inline script for Google Analytics.: [#25147](https://redirect.github.com/vercel/next.js/issues/25147)
- Update testing.md: [#28190](https://redirect.github.com/vercel/next.js/issues/28190)
- docs: Add link to Cypress GitHub Actions Guide to Testing docs: [#28207](https://redirect.github.com/vercel/next.js/issues/28207)
- Add docs for ESLint plugin settings and rule options: [#28059](https://redirect.github.com/vercel/next.js/issues/28059)
- Add eslint rule for id attribute on inline next/script: [#27853](https://redirect.github.com/vercel/next.js/issues/27853)
- Update supported-browsers-features.md: [#28326](https://redirect.github.com/vercel/next.js/issues/28326)
- fix link to global stylesheet in from-create-react-app.md: [#28327](https://redirect.github.com/vercel/next.js/issues/28327)
- docs: update font-optimization.md: [#28397](https://redirect.github.com/vercel/next.js/issues/28397)
- Improved `next/image` docs around layouts.: [#28345](https://redirect.github.com/vercel/next.js/issues/28345)
- Minor docs edit: cors -> CORS: [#28472](https://redirect.github.com/vercel/next.js/issues/28472)
- Update docs for `sharp` usage to mention Vercel: [#28476](https://redirect.github.com/vercel/next.js/issues/28476)
- Use recommended pattern in testing example: [#28404](https://redirect.github.com/vercel/next.js/issues/28404)
- Update with-jest packages and docs: [#28209](https://redirect.github.com/vercel/next.js/issues/28209)
- Add docs for using pageExtensions to colocate other files with page components: [#22740](https://redirect.github.com/vercel/next.js/issues/22740)
- Small grammar fixes: [#28590](https://redirect.github.com/vercel/next.js/issues/28590)
##### Example Changes
- Make sure all example packages has `private: true`: [#28008](https://redirect.github.com/vercel/next.js/issues/28008)
- next-env.d.ts note in templates: [#27983](https://redirect.github.com/vercel/next.js/issues/27983)
- Add `.gitignore` to examples that lack them: [#28003](https://redirect.github.com/vercel/next.js/issues/28003)
- Update Firebase hosting example to use Node.js 14.: [#27988](https://redirect.github.com/vercel/next.js/issues/27988)
- Examples: Jotai: [#27940](https://redirect.github.com/vercel/next.js/issues/27940)
- Remove `licence` from all `example/package.json` that has them: [#28007](https://redirect.github.com/vercel/next.js/issues/28007)
- Add ci script to check examples: [#28009](https://redirect.github.com/vercel/next.js/issues/28009)
- Replace CSS tag with JS import: [#28143](https://redirect.github.com/vercel/next.js/issues/28143)
- Fixed typos that existed on some files: [#28314](https://redirect.github.com/vercel/next.js/issues/28314)
- Add Temporal example: [#28348](https://redirect.github.com/vercel/next.js/issues/28348)
- \[examples] Added `with-couchbase` example: [#27184](https://redirect.github.com/vercel/next.js/issues/27184)
- \[examples] Add ElasticSearch example: [#28043](https://redirect.github.com/vercel/next.js/issues/28043)
- Fix: changing import syntax slightly to ensure success with `create-next-app`: [#28431](https://redirect.github.com/vercel/next.js/issues/28431)
- Add prop-types in package.json: [#28481](https://redirect.github.com/vercel/next.js/issues/28481)
- Update to use the latest MongoDB best practices to limit connection pooling issues.: [#28350](https://redirect.github.com/vercel/next.js/issues/28350)
- Add apiVersion to config: [#28610](https://redirect.github.com/vercel/next.js/issues/28610)
##### Misc Changes
- Tests: Execute development-logs tests.: [#27996](https://redirect.github.com/vercel/next.js/issues/27996)
- Fix publish native script: [#28037](https://redirect.github.com/vercel/next.js/issues/28037)
- Authenticate npm before publishing native packages: [#28041](https://redirect.github.com/vercel/next.js/issues/28041)
- publish flow fixes: [#28050](https://redirect.github.com/vercel/next.js/issues/28050)
- USe await correctly: [#28053](https://redirect.github.com/vercel/next.js/issues/28053)
- Refactor development-logs removing duplicated code.: [#28049](https://redirect.github.com/vercel/next.js/issues/28049)
- Fix gh action workflow when docs changed: [#28092](https://redirect.github.com/vercel/next.js/issues/28092)
- Skip native ci steps for docs only changes: [#28101](https://redirect.github.com/vercel/next.js/issues/28101)
- Add setup for m1 build: [#28138](https://redirect.github.com/vercel/next.js/issues/28138)
- fix(tests): fixes typo in basic integration test: [#28158](https://redirect.github.com/vercel/next.js/issues/28158)
- Fix crash of lint rule no-document-import-in-page: [#28148](https://redirect.github.com/vercel/next.js/issues/28148)
- docs: make contributing.md more contributor-friendly: [#27913](https://redirect.github.com/vercel/next.js/issues/27913)
- Update polling env var for tests in CI: [#28264](https://redirect.github.com/vercel/next.js/issues/28264)
- Ensure all packages are packed while tracing: [#28263](https://redirect.github.com/vercel/next.js/issues/28263)
- Use temp repo copy while linking packages: [#28301](https://redirect.github.com/vercel/next.js/issues/28301)
- feat: upgrade swc/core to 1.2.80: [#28347](https://redirect.github.com/vercel/next.js/issues/28347)
- Move unit tests to one folder and migrate them to TypeScript: [#28427](https://redirect.github.com/vercel/next.js/issues/28427)
- Tests: Adds test to data-nimg data attribute based on layout prop.: [#28444](https://redirect.github.com/vercel/next.js/issues/28444)
- Remove unused imports
- \[ESLint Plugin] Handles edge case for `no-import-document-in-page` rule: [#28261](https://redirect.github.com/vercel/next.js/issues/28261)
- Tests: Remove unnecessary await: [#28594](https://redirect.github.com/vercel/next.js/issues/28594)
##### Credits
Huge thanks to [@delbaoliveira](https://redirect.github.com/delbaoliveira), [@padmaia](https://redirect.github.com/padmaia), [@andersonleite](https://redirect.github.com/andersonleite), [@stefanprobst](https://redirect.github.com/stefanprobst), [@oBusk](https://redirect.github.com/oBusk), [@sokra](https://redirect.github.com/sokra), [@xnuk](https://redirect.github.com/xnuk), [@styfle](https://redirect.github.com/styfle), [@leerob](https://redirect.github.com/leerob), [@devknoll](https://redirect.github.com/devknoll), [@huozhi](https://redirect.github.com/huozhi), [@timneutkens](https://redirect.github.com/timneutkens), [@awareness481](https://redirect.github.com/awareness481), [@agektmr](https://redirect.github.com/agektmr), [@gu-stav](https://redirect.github.com/gu-stav), [@sampoder](https://redirect.github.com/sampoder), [@Thisen](https://redirect.github.com/Thisen), [@ijjk](https://redirect.github.com/ijjk), [@oscarafuentes](https://redirect.github.com/oscarafuentes), [@AryanBeezadhur](https://redirect.github.com/AryanBeezadhur), [@bmuenzenmeyer](https://redirect.github.com/bmuenzenmeyer), [@tdkn](https://redirect.github.com/tdkn), [@rgabs](https://redirect.github.com/rgabs), [@urko-pineda](https://redirect.github.com/urko-pineda), [@davecaruso](https://redirect.github.com/davecaruso), [@kevinold](https://redirect.github.com/kevinold), [@ctjlewis](https://redirect.github.com/ctjlewis), [@chrislloyd](https://redirect.github.com/chrislloyd), [@mrmckeb](https://redirect.github.com/mrmckeb), [@housseindjirdeh](https://redirect.github.com/housseindjirdeh), [@hiro0218](https://redirect.github.com/hiro0218), [@Bezmehrabi](https://redirect.github.com/Bezmehrabi), [@atcastle](https://redirect.github.com/atcastle), [@janicklas-ralph](https://redirect.github.com/janicklas-ralph), [@lorensr](https://redirect.github.com/lorensr), [@lekterable](https://redirect.github.com/lekterable), [@vcnc-hex](https://redirect.github.com/vcnc-hex), [@ejscribner](https://redirect.github.com/ejscribner), [@Andarist](https://redirect.github.com/Andarist), [@aravindputrevu](https://redirect.github.com/aravindputrevu), [@robbieaverill](https://redirect.github.com/robbieaverill), [@zhafri-shafiq](https://redirect.github.com/zhafri-shafiq), [@htunnicliff](https://redirect.github.com/htunnicliff), [@kukicado](https://redirect.github.com/kukicado), [@OzzieOrca](https://redirect.github.com/OzzieOrca), [@mikehedman](https://redirect.github.com/mikehedman), and [@kmelve](https://redirect.github.com/kmelve) for helping!
### [`v11.1.0`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.0)
[Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.0.1...v11.1.0)
A security team from one of our partners noticed an issue in Next.js that allowed for an open redirect to occur.
Specially encoded paths could be used when `pages/_error.js` was statically generated allowing an open redirect to occur to an external site.
In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.
We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
#### How to Upgrade
- We have released patch versions for both the stable and canary channels of Next.js.
- To upgrade run `npm install next@latest --save`
#### Impact
- **Affected:** Users of Next.js between 10.0.5 and 10.2.0
- **Affected:** Users of Next.js between 11.0.0 and 11.0.1 using `pages/_error.js` without `getInitialProps`
- **Affected:** Users of Next.js between 11.0.0 and 11.0.1 using `pages/_error.js` and `next export`
- **Not affected**: Deployments on Vercel ([vercel.com](https://vercel.com)) are not affected
- **Not affected:** Deployments **with** `pages/404.js`
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
##### How to Assess Impact
If you think sensitive code or data could have been exposed, you can filter logs of affected sites by `//` (double slash at the start of the url) followed by a domain.
#### What is Being Done
As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to Gabriel Benmergui from Robinhood for their investigation and discovery of the original bug and subsequent responsible disclosure.
We've landed a patch that ensures path parsing is handled properly for these paths so that the open redirect can no longer occur.
Regression tests for this attack were added to the [security](https://redirect.github.com/zeit/next.js/blob/canary/test/integration/production/test/security.js) integration test suite
- We have notified known Next.js users in advance of this publication.
- A public CVE was released.
- We encourage responsible disclosure of future reports. Please email us at `security@vercel.com`. We are actively monitoring this mailbox.
***
#### Release notes
##### Core Changes
- Don't test image domains in test env: [#26502](https://redirect.github.com/vercel/next.js/issues/26502)
- Fix props not updating when changing the locale and keeping hash: [#26205](https://redirect.github.com/vercel/next.js/issues/26205)
- Allow user to override next-image-loader: [#26548](https://redirect.github.com/vercel/next.js/issues/26548)
- Add logging when a custom babelrc is loaded: [#26570](https://redirect.github.com/vercel/next.js/issues/26570)
- Add comment to not edit in next-env file: [#26573](https://redirect.github.com/vercel/next.js/issues/26573)
- Add trace url on bootup: [#26594](https://redirect.github.com/vercel/next.js/issues/26594)
- Add check for ObjectExpression when iterating on tags for font optimization: [#26608](https://redirect.github.com/vercel/next.js/issues/26608)
- Fix GSP redirect cache error: [#26627](https://redirect.github.com/vercel/next.js/issues/26627)
- Correct statusCode when visiting \_error directly: [#26610](https://redirect.github.com/vercel/next.js/issues/26610)
- fix: next dynamic with jest: [#26614](https://redirect.github.com/vercel/next.js/issues/26614)
- Ensure API routes are not available under the locale: [#26629](https://redirect.github.com/vercel/next.js/issues/26629)
- Fix image content type octet stream 400: [#26705](https://redirect.github.com/vercel/next.js/issues/26705)
- \[ESLint] Adds --max-warnings flag to `next lint`: [#26697](https://redirect.github.com/vercel/next.js/issues/26697)
- Simplify `next-dev-server` implementation: [#26230](https://redirect.github.com/vercel/next.js/issues/26230)
- Move code shared between server/client to "shared" folder: [#26734](https://redirect.github.com/vercel/next.js/issues/26734)
- Move next-server directory files to server directory: [#26756](https://redirect.github.com/vercel/next.js/issues/26756)
- Support new hydrate API in latest react 18 alpha release: [#26664](https://redirect.github.com/vercel/next.js/issues/26664)
- Add upstream `max-age` to optimized image: [#26739](https://redirect.github.com/vercel/next.js/issues/26739)
- Fix blurred image position when using objectPosition: [#26590](https://redirect.github.com/vercel/next.js/issues/26590)
- Leverage blocked page for \_error: [#26748](https://redirect.github.com/vercel/next.js/issues/26748)
- fix: detect loop in client error page: [#26567](https://redirect.github.com/vercel/next.js/issues/26567)
- Add `onLoadingComplete()` prop to Image component: [#26824](https://redirect.github.com/vercel/next.js/issues/26824)
- Add "Vary: Accept" header to /\_next/image responses: [#26788](https://redirect.github.com/vercel/next.js/issues/26788)
- Add additional tests for image type detection: [#26832](https://redirect.github.com/vercel/next.js/issues/26832)
- Fix immutable header for image with static import & unoptimized: [#26836](https://redirect.github.com/vercel/next.js/issues/26836)
- Make sure 404 pages do not get cached by a CDN when using next start: [#24983](https://redirect.github.com/vercel/next.js/issues/24983)
- Don't emit duplicate image files: [#26843](https://redirect.github.com/vercel/next.js/issues/26843)
- Warn when response body is larger than 5mb: [#26831](https://redirect.github.com/vercel/next.js/issues/26831)
- Fix: added the key property to the pre next scripts: [#26646](https://redirect.github.com/vercel/next.js/issues/26646)
- Ensure API route errors are propagated in minimal mode: [#26875](https://redirect.github.com/vercel/next.js/issues/26875)
- 5MB -> 4MB body size limit: [#26887](https://redirect.github.com/vercel/next.js/issues/26887)
- \[ESLint] Update default `.eslintrc` file created to have `.json` format: [#26884](https://redirect.github.com/vercel/next.js/issues/26884)
- Refactor decode failures: [#26899](https://redirect.github.com/vercel/next.js/issues/26899)
- Add initial `ResponsePayload` support: [#26938](https://redirect.github.com/vercel/next.js/issues/26938)
- Fix typo in route-loader: [#26942](https://redirect.github.com/vercel/next.js/issues/26942)
- More explicit typing for `IncrementalCache` API: [#26941](https://redirect.github.com/vercel/next.js/issues/26941)
- Fix merge issue and use `respondWith`: [#26961](https://redirect.github.com/vercel/next.js/issues/26961)
- (next/image): Merge query string params in imgix loader: [#26719](https://redirect.github.com/vercel/next.js/issues/26719)
- Fix: (rewrites) incorrect parsing of destination query: [#26619](https://redirect.github.com/vercel/next.js/issues/26619)
- Fix forward slash encoding while interpolating: [#26963](https://redirect.github.com/vercel/next.js/issues/26963)
- update webpack to 5.43.0: [#26979](https://redirect.github.com/vercel/next.js/issues/26979)
- Rename `next/script` interface Props to ScriptProps: [#26990](https://redirect.github.com/vercel/next.js/issues/26990)
- Don't lazy-load already-loaded image in client-side transition: [#26968](https://redirect.github.com/vercel/next.js/issues/26968)
- Loosen `next/image` TS types for `width` and `height`: [#26991](https://redirect.github.com/vercel/next.js/issues/26991)
- Add `dangerously-unoptimized` loader for next/image: [#26847](https://redirect.github.com/vercel/next.js/issues/26847)
- Fix hash change events not firing with i18n: [#26994](https://redirect.github.com/vercel/next.js/issues/26994)
- Loosen `next/image` TS types for `src`: [#26996](https://redirect.github.com/vercel/next.js/issues/26996)
- Provide Next.js postcss version to cssnano-simple: [#26952](https://redirect.github.com/vercel/next.js/issues/26952)
- Rename next/image `dangerously-unoptimized` to `custom` and warn when applicable: [#26998](https://redirect.github.com/vercel/next.js/issues/26998)
- Add newline to the end of `next-env.d.ts`: [#27028](https://redirect.github.com/vercel/next.js/issues/27028)
- Add performance tracing for next-image-loader: [#27043](https://redirect.github.com/vercel/next.js/issues/27043)
- Include message body in redirect responses: [#25257](https://redirect.github.com/vercel/next.js/issues/25257)
- add support for esm externals: [#27069](https://redirect.github.com/vercel/next.js/issues/27069)
- Enhance `next dev` performance with placeholder=blur: [#27061](https://redirect.github.com/vercel/next.js/issues/27061)
- Add batching to zipkin reporter: [#27082](https://redirect.github.com/vercel/next.js/issues/27082)
- Bind sendBeacon to navigator: [#26601](https://redirect.github.com/vercel/next.js/issues/26601)
- Fall back to fallbackSend when send is false: [#27113](https://redirect.github.com/vercel/next.js/issues/27113)
- Upgrades `web-vitals` to v1.1.2.: [#25272](https://redirect.github.com/vercel/next.js/issues/25272)
- Prevent timeout when loading routes in development: [#25749](https://redirect.github.com/vercel/next.js/issues/25749)
- Workaround for Node.js 16+ on Apple Silicon M1: [#27031](https://redirect.github.com/vercel/next.js/issues/27031)
- Replace `withCoalescedInvoke` with `ResponseCache`: [#26997](https://redirect.github.com/vercel/next.js/issues/26997)
- Add some missing fields to the NextConfig type: [#27126](https://redirect.github.com/vercel/next.js/issues/27126)
- Update redirect regexes to not match \_next: [#27143](https://redirect.github.com/vercel/next.js/issues/27143)
- Bump babel target to Node.js 12: [#27147](https://redirect.github.com/vercel/next.js/issues/27147)
- Use SWC to compile Next.js core server files: [#27167](https://redirect.github.com/vercel/next.js/issues/27167)
- Fix css minify incorrectly duplicating variables: [#27150](https://redirect.github.com/vercel/next.js/issues/27150)
- Fix gsp generation with file extension: [#27144](https://redirect.github.com/vercel/next.js/issues/27144)
- Add `minimumCacheTTL` config for Image Optimization: [#27200](https://redirect.github.com/vercel/next.js/issues/27200)
- Fix Script beforeInteractive on navigation: [#26995](https://redirect.github.com/vercel/next.js/issues/26995)
- improve static generation UX: [#27171](https://redirect.github.com/vercel/next.js/issues/27171)
- Add warning for large number of routes: [#27214](https://redirect.github.com/vercel/next.js/issues/27214)
- Add x-forward headers to external rewrites: [#17557](https://redirect.github.com/vercel/next.js/issues/17557)
- \[ESLint] Remove error when file patterns are unmatched + ESLint setup changes: [#27119](https://redirect.github.com/vercel/next.js/issues/27119)
- Fix inline scripts being duplicated when used with `next/script` component: [#27218](https://redirect.github.com/vercel/next.js/issues/27218)
- Fix `minimumCacheTTL` so it doesn't affect browser caching: [#27307](https://redirect.github.com/vercel/next.js/issues/27307)
- Fix default server host value causing issues on Windows: [#27306](https://redirect.github.com/vercel/next.js/issues/27306)
- Fix `placeholder=blur` inside `
This PR contains the following updates:
^5.1.0
->^11.0.0
GitHub Vulnerability Alerts
CVE-2020-5284
Impact
serverless
targetnext export
We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.
Patches
https://github.com/zeit/next.js/releases/tag/v9.3.2
References
https://github.com/zeit/next.js/releases/tag/v9.3.2
CVE-2021-43803
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package
next
hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.CVE-2021-37699
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when
pages/_error.js
was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.Impact
10.0.5
and10.2.0
11.0.0
and11.0.1
usingpages/_error.js
withoutgetInitialProps
11.0.0
and11.0.1
usingpages/_error.js
andnext export
pages/404.js
next
npm package hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.We recommend upgrading to the latest version of Next.js to improve the overall security of your application.
Patches
https://github.com/vercel/next.js/releases/tag/v11.1.0
Release Notes
vercel/next.js (next)
### [`v11.1.3`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.3) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.1.2...v11.1.3) See https://github.com/vercel/next.js/releases/v12.0.5 for details about this patch. ### [`v11.1.2`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.2) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.1.1...v11.1.2) ##### Core Changes - chore: upgrade styled-jsx to 4.0.1: [#28626](https://redirect.github.com/vercel/next.js/issues/28626) - getServerSideProps should support props value as Promise: [#28607](https://redirect.github.com/vercel/next.js/issues/28607) - Ensure custom app regex is correct for Windows: [#28631](https://redirect.github.com/vercel/next.js/issues/28631) ##### Credits Huge thanks to [@huozhi](https://redirect.github.com/huozhi) and [@kara](https://redirect.github.com/kara) for helping! ### [`v11.1.1`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.1) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.1.0...v11.1.1) ##### Core Changes - Next.js swc publish flow: [#27984](https://redirect.github.com/vercel/next.js/issues/27984) - Ensure config file message is only shown once: [#28017](https://redirect.github.com/vercel/next.js/issues/28017) - Add missing fields to `NextConfig` type: [#27974](https://redirect.github.com/vercel/next.js/issues/27974) - use a shared worker pool for collecting page data and static page generation: [#27924](https://redirect.github.com/vercel/next.js/issues/27924) - Use [@next](https://redirect.github.com/next) scope for native packages: [#28046](https://redirect.github.com/vercel/next.js/issues/28046) - Fix `generateBuildId` type that can be async function: [#28040](https://redirect.github.com/vercel/next.js/issues/28040) - Fix image optimization encoding url: [#28045](https://redirect.github.com/vercel/next.js/issues/28045) - Clean up `Document` in preparation for streaming: [#28032](https://redirect.github.com/vercel/next.js/issues/28032) - Render as a concatenation of streams: [#28082](https://redirect.github.com/vercel/next.js/issues/28082) - Add support for dynamic HTML: [#28085](https://redirect.github.com/vercel/next.js/issues/28085) - Support suspense in next dynamic: [#27611](https://redirect.github.com/vercel/next.js/issues/27611) - Handle blob urls in image component: [#27975](https://redirect.github.com/vercel/next.js/issues/27975) - Bypass webpack compilation for precompiled [@next/polyfills-nomodule](https://redirect.github.com/next/polyfills-nomodule): [#27596](https://redirect.github.com/vercel/next.js/issues/27596) - Update `util` to 0.12.4: [#27939](https://redirect.github.com/vercel/next.js/issues/27939) - Remove duplicate doctypes: [#28089](https://redirect.github.com/vercel/next.js/issues/28089) - Fix revalidate for initial notFound: true paths: [#28097](https://redirect.github.com/vercel/next.js/issues/28097) - Add proper error when failing to load next.config.js: [#28099](https://redirect.github.com/vercel/next.js/issues/28099) - Fix: wrong link error message: [#28127](https://redirect.github.com/vercel/next.js/issues/28127) - Add support for Jaeger trace target: [#28129](https://redirect.github.com/vercel/next.js/issues/28129) - Enable pure client suspense in blocking rendering: [#28165](https://redirect.github.com/vercel/next.js/issues/28165) - Add entrypoint tracing: [#25538](https://redirect.github.com/vercel/next.js/issues/25538) - Add module type to build-module trace: [#28128](https://redirect.github.com/vercel/next.js/issues/28128) - Update to latest babel versions: [#28174](https://redirect.github.com/vercel/next.js/issues/28174) - Improve jaeger traces: [#28168](https://redirect.github.com/vercel/next.js/issues/28168) - fix development mode bug with pages with "+" and other special characters: [#28122](https://redirect.github.com/vercel/next.js/issues/28122) - let loaders automatically infer source map setting: [#28204](https://redirect.github.com/vercel/next.js/issues/28204) - Avoid fs write `next-env.d.ts` on read-only filesystems: [#28206](https://redirect.github.com/vercel/next.js/issues/28206) - Document usage of suspense option of next/dynamic: [#28210](https://redirect.github.com/vercel/next.js/issues/28210) - Add warning when parent styles break `next/image`: [#28221](https://redirect.github.com/vercel/next.js/issues/28221) - Use `zen-observable` library: [#28214](https://redirect.github.com/vercel/next.js/issues/28214) - Fix HMR when custom \_app or \_document is removed: [#28227](https://redirect.github.com/vercel/next.js/issues/28227) - Add relationship between issuer and module to traces: [#28192](https://redirect.github.com/vercel/next.js/issues/28192) - Update generating next-server dependencies: [#28223](https://redirect.github.com/vercel/next.js/issues/28223) - Fix `next/image` blur placeholder when JS is disabled: [#28269](https://redirect.github.com/vercel/next.js/issues/28269) - Ensure adding \_app/\_document HMRs correctly: [#28279](https://redirect.github.com/vercel/next.js/issues/28279) - upgrade webpack to 5.51.1: [#28291](https://redirect.github.com/vercel/next.js/issues/28291) - \[ESLint] Adds `process.exit` to `next lint` success output: [#28299](https://redirect.github.com/vercel/next.js/issues/28299) - Fix next env vars injection in dynamic: [#28309](https://redirect.github.com/vercel/next.js/issues/28309) - Add layout to data-nimg attribute: [#28312](https://redirect.github.com/vercel/next.js/issues/28312) - Add data attribute to script component: [#28310](https://redirect.github.com/vercel/next.js/issues/28310) - Ensure [@babel/core](https://redirect.github.com/babel/core) is de-duped when nccing: [#28384](https://redirect.github.com/vercel/next.js/issues/28384) - Fix forked NODE_OPTIONS except for inspect: [#28420](https://redirect.github.com/vercel/next.js/issues/28420) - \[ESLint] Enable caching by default: [#28349](https://redirect.github.com/vercel/next.js/issues/28349) - Update test config to leverage swc: [#28400](https://redirect.github.com/vercel/next.js/issues/28400) - Add missing `typescript` property to `NextConfig`: [#28459](https://redirect.github.com/vercel/next.js/issues/28459) - next/script fix duplicate scripts : [#28428](https://redirect.github.com/vercel/next.js/issues/28428) - Ensure error is shown correctly for empty headers field: [#28430](https://redirect.github.com/vercel/next.js/issues/28430) - Add default trace format that is exported automatically: [#28461](https://redirect.github.com/vercel/next.js/issues/28461) - Update i18n locales limit to warning: [#28429](https://redirect.github.com/vercel/next.js/issues/28429) - Fix handling for 204 status code with a body: [#28479](https://redirect.github.com/vercel/next.js/issues/28479) - Update warning when parent styles break `next/image`: [#28517](https://redirect.github.com/vercel/next.js/issues/28517) - Support for functional Document components: [#28515](https://redirect.github.com/vercel/next.js/issues/28515) - Ensure dev server side errors are correct: [#28520](https://redirect.github.com/vercel/next.js/issues/28520) - Add CSP to Image Optimization API: [#28620](https://redirect.github.com/vercel/next.js/issues/28620) ##### Documentation Changes - Fix incorrect error manifest path: [#27970](https://redirect.github.com/vercel/next.js/issues/27970) - Add testing docs: [#27965](https://redirect.github.com/vercel/next.js/issues/27965) - \[DOCS] Update testing docs: [#28064](https://redirect.github.com/vercel/next.js/issues/28064) - \[ESLint] Disallow inside \_document.js & inside the next/head component: [#27257](https://redirect.github.com/vercel/next.js/issues/27257) - Docs: Mention 3rd option 'blocking' for fallback: [#28077](https://redirect.github.com/vercel/next.js/issues/28077) - Add a Styling Section to next/image component docs: [#28055](https://redirect.github.com/vercel/next.js/issues/28055) - Improve React Strict Mode documentation.: [#28139](https://redirect.github.com/vercel/next.js/issues/28139) - doc: fix typo: [#28146](https://redirect.github.com/vercel/next.js/issues/28146) - docs: corrected the link to the example: [#28175](https://redirect.github.com/vercel/next.js/issues/28175) - ESLint Plugin: Prefer next script component when using the inline script for Google Analytics.: [#25147](https://redirect.github.com/vercel/next.js/issues/25147) - Update testing.md: [#28190](https://redirect.github.com/vercel/next.js/issues/28190) - docs: Add link to Cypress GitHub Actions Guide to Testing docs: [#28207](https://redirect.github.com/vercel/next.js/issues/28207) - Add docs for ESLint plugin settings and rule options: [#28059](https://redirect.github.com/vercel/next.js/issues/28059) - Add eslint rule for id attribute on inline next/script: [#27853](https://redirect.github.com/vercel/next.js/issues/27853) - Update supported-browsers-features.md: [#28326](https://redirect.github.com/vercel/next.js/issues/28326) - fix link to global stylesheet in from-create-react-app.md: [#28327](https://redirect.github.com/vercel/next.js/issues/28327) - docs: update font-optimization.md: [#28397](https://redirect.github.com/vercel/next.js/issues/28397) - Improved `next/image` docs around layouts.: [#28345](https://redirect.github.com/vercel/next.js/issues/28345) - Minor docs edit: cors -> CORS: [#28472](https://redirect.github.com/vercel/next.js/issues/28472) - Update docs for `sharp` usage to mention Vercel: [#28476](https://redirect.github.com/vercel/next.js/issues/28476) - Use recommended pattern in testing example: [#28404](https://redirect.github.com/vercel/next.js/issues/28404) - Update with-jest packages and docs: [#28209](https://redirect.github.com/vercel/next.js/issues/28209) - Add docs for using pageExtensions to colocate other files with page components: [#22740](https://redirect.github.com/vercel/next.js/issues/22740) - Small grammar fixes: [#28590](https://redirect.github.com/vercel/next.js/issues/28590) ##### Example Changes - Make sure all example packages has `private: true`: [#28008](https://redirect.github.com/vercel/next.js/issues/28008) - next-env.d.ts note in templates: [#27983](https://redirect.github.com/vercel/next.js/issues/27983) - Add `.gitignore` to examples that lack them: [#28003](https://redirect.github.com/vercel/next.js/issues/28003) - Update Firebase hosting example to use Node.js 14.: [#27988](https://redirect.github.com/vercel/next.js/issues/27988) - Examples: Jotai: [#27940](https://redirect.github.com/vercel/next.js/issues/27940) - Remove `licence` from all `example/package.json` that has them: [#28007](https://redirect.github.com/vercel/next.js/issues/28007) - Add ci script to check examples: [#28009](https://redirect.github.com/vercel/next.js/issues/28009) - Replace CSS tag with JS import: [#28143](https://redirect.github.com/vercel/next.js/issues/28143) - Fixed typos that existed on some files: [#28314](https://redirect.github.com/vercel/next.js/issues/28314) - Add Temporal example: [#28348](https://redirect.github.com/vercel/next.js/issues/28348) - \[examples] Added `with-couchbase` example: [#27184](https://redirect.github.com/vercel/next.js/issues/27184) - \[examples] Add ElasticSearch example: [#28043](https://redirect.github.com/vercel/next.js/issues/28043) - Fix: changing import syntax slightly to ensure success with `create-next-app`: [#28431](https://redirect.github.com/vercel/next.js/issues/28431) - Add prop-types in package.json: [#28481](https://redirect.github.com/vercel/next.js/issues/28481) - Update to use the latest MongoDB best practices to limit connection pooling issues.: [#28350](https://redirect.github.com/vercel/next.js/issues/28350) - Add apiVersion to config: [#28610](https://redirect.github.com/vercel/next.js/issues/28610) ##### Misc Changes - Tests: Execute development-logs tests.: [#27996](https://redirect.github.com/vercel/next.js/issues/27996) - Fix publish native script: [#28037](https://redirect.github.com/vercel/next.js/issues/28037) - Authenticate npm before publishing native packages: [#28041](https://redirect.github.com/vercel/next.js/issues/28041) - publish flow fixes: [#28050](https://redirect.github.com/vercel/next.js/issues/28050) - USe await correctly: [#28053](https://redirect.github.com/vercel/next.js/issues/28053) - Refactor development-logs removing duplicated code.: [#28049](https://redirect.github.com/vercel/next.js/issues/28049) - Fix gh action workflow when docs changed: [#28092](https://redirect.github.com/vercel/next.js/issues/28092) - Skip native ci steps for docs only changes: [#28101](https://redirect.github.com/vercel/next.js/issues/28101) - Add setup for m1 build: [#28138](https://redirect.github.com/vercel/next.js/issues/28138) - fix(tests): fixes typo in basic integration test: [#28158](https://redirect.github.com/vercel/next.js/issues/28158) - Fix crash of lint rule no-document-import-in-page: [#28148](https://redirect.github.com/vercel/next.js/issues/28148) - docs: make contributing.md more contributor-friendly: [#27913](https://redirect.github.com/vercel/next.js/issues/27913) - Update polling env var for tests in CI: [#28264](https://redirect.github.com/vercel/next.js/issues/28264) - Ensure all packages are packed while tracing: [#28263](https://redirect.github.com/vercel/next.js/issues/28263) - Use temp repo copy while linking packages: [#28301](https://redirect.github.com/vercel/next.js/issues/28301) - feat: upgrade swc/core to 1.2.80: [#28347](https://redirect.github.com/vercel/next.js/issues/28347) - Move unit tests to one folder and migrate them to TypeScript: [#28427](https://redirect.github.com/vercel/next.js/issues/28427) - Tests: Adds test to data-nimg data attribute based on layout prop.: [#28444](https://redirect.github.com/vercel/next.js/issues/28444) - Remove unused imports - \[ESLint Plugin] Handles edge case for `no-import-document-in-page` rule: [#28261](https://redirect.github.com/vercel/next.js/issues/28261) - Tests: Remove unnecessary await: [#28594](https://redirect.github.com/vercel/next.js/issues/28594) ##### Credits Huge thanks to [@delbaoliveira](https://redirect.github.com/delbaoliveira), [@padmaia](https://redirect.github.com/padmaia), [@andersonleite](https://redirect.github.com/andersonleite), [@stefanprobst](https://redirect.github.com/stefanprobst), [@oBusk](https://redirect.github.com/oBusk), [@sokra](https://redirect.github.com/sokra), [@xnuk](https://redirect.github.com/xnuk), [@styfle](https://redirect.github.com/styfle), [@leerob](https://redirect.github.com/leerob), [@devknoll](https://redirect.github.com/devknoll), [@huozhi](https://redirect.github.com/huozhi), [@timneutkens](https://redirect.github.com/timneutkens), [@awareness481](https://redirect.github.com/awareness481), [@agektmr](https://redirect.github.com/agektmr), [@gu-stav](https://redirect.github.com/gu-stav), [@sampoder](https://redirect.github.com/sampoder), [@Thisen](https://redirect.github.com/Thisen), [@ijjk](https://redirect.github.com/ijjk), [@oscarafuentes](https://redirect.github.com/oscarafuentes), [@AryanBeezadhur](https://redirect.github.com/AryanBeezadhur), [@bmuenzenmeyer](https://redirect.github.com/bmuenzenmeyer), [@tdkn](https://redirect.github.com/tdkn), [@rgabs](https://redirect.github.com/rgabs), [@urko-pineda](https://redirect.github.com/urko-pineda), [@davecaruso](https://redirect.github.com/davecaruso), [@kevinold](https://redirect.github.com/kevinold), [@ctjlewis](https://redirect.github.com/ctjlewis), [@chrislloyd](https://redirect.github.com/chrislloyd), [@mrmckeb](https://redirect.github.com/mrmckeb), [@housseindjirdeh](https://redirect.github.com/housseindjirdeh), [@hiro0218](https://redirect.github.com/hiro0218), [@Bezmehrabi](https://redirect.github.com/Bezmehrabi), [@atcastle](https://redirect.github.com/atcastle), [@janicklas-ralph](https://redirect.github.com/janicklas-ralph), [@lorensr](https://redirect.github.com/lorensr), [@lekterable](https://redirect.github.com/lekterable), [@vcnc-hex](https://redirect.github.com/vcnc-hex), [@ejscribner](https://redirect.github.com/ejscribner), [@Andarist](https://redirect.github.com/Andarist), [@aravindputrevu](https://redirect.github.com/aravindputrevu), [@robbieaverill](https://redirect.github.com/robbieaverill), [@zhafri-shafiq](https://redirect.github.com/zhafri-shafiq), [@htunnicliff](https://redirect.github.com/htunnicliff), [@kukicado](https://redirect.github.com/kukicado), [@OzzieOrca](https://redirect.github.com/OzzieOrca), [@mikehedman](https://redirect.github.com/mikehedman), and [@kmelve](https://redirect.github.com/kmelve) for helping! ### [`v11.1.0`](https://redirect.github.com/vercel/next.js/releases/tag/v11.1.0) [Compare Source](https://redirect.github.com/vercel/next.js/compare/v11.0.1...v11.1.0) A security team from one of our partners noticed an issue in Next.js that allowed for an open redirect to occur. Specially encoded paths could be used when `pages/_error.js` was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend upgrading to the latest version of Next.js to improve the overall security of your application. #### How to Upgrade - We have released patch versions for both the stable and canary channels of Next.js. - To upgrade run `npm install next@latest --save` #### Impact - **Affected:** Users of Next.js between 10.0.5 and 10.2.0 - **Affected:** Users of Next.js between 11.0.0 and 11.0.1 using `pages/_error.js` without `getInitialProps` - **Affected:** Users of Next.js between 11.0.0 and 11.0.1 using `pages/_error.js` and `next export` - **Not affected**: Deployments on Vercel ([vercel.com](https://vercel.com)) are not affected - **Not affected:** Deployments **with** `pages/404.js` We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. ##### How to Assess Impact If you think sensitive code or data could have been exposed, you can filter logs of affected sites by `//` (double slash at the start of the url) followed by a domain. #### What is Being Done As Next.js has grown in popularity and usage by enterprises, it has received the attention of security researchers and auditors. We are thankful to Gabriel Benmergui from Robinhood for their investigation and discovery of the original bug and subsequent responsible disclosure. We've landed a patch that ensures path parsing is handled properly for these paths so that the open redirect can no longer occur. Regression tests for this attack were added to the [security](https://redirect.github.com/zeit/next.js/blob/canary/test/integration/production/test/security.js) integration test suite - We have notified known Next.js users in advance of this publication. - A public CVE was released. - We encourage responsible disclosure of future reports. Please email us at `security@vercel.com`. We are actively monitoring this mailbox. *** #### Release notes ##### Core Changes - Don't test image domains in test env: [#26502](https://redirect.github.com/vercel/next.js/issues/26502) - Fix props not updating when changing the locale and keeping hash: [#26205](https://redirect.github.com/vercel/next.js/issues/26205) - Allow user to override next-image-loader: [#26548](https://redirect.github.com/vercel/next.js/issues/26548) - Add logging when a custom babelrc is loaded: [#26570](https://redirect.github.com/vercel/next.js/issues/26570) - Add comment to not edit in next-env file: [#26573](https://redirect.github.com/vercel/next.js/issues/26573) - Add trace url on bootup: [#26594](https://redirect.github.com/vercel/next.js/issues/26594) - Add check for ObjectExpression when iterating on tags for font optimization: [#26608](https://redirect.github.com/vercel/next.js/issues/26608) - Fix GSP redirect cache error: [#26627](https://redirect.github.com/vercel/next.js/issues/26627) - Correct statusCode when visiting \_error directly: [#26610](https://redirect.github.com/vercel/next.js/issues/26610) - fix: next dynamic with jest: [#26614](https://redirect.github.com/vercel/next.js/issues/26614) - Ensure API routes are not available under the locale: [#26629](https://redirect.github.com/vercel/next.js/issues/26629) - Fix image content type octet stream 400: [#26705](https://redirect.github.com/vercel/next.js/issues/26705) - \[ESLint] Adds --max-warnings flag to `next lint`: [#26697](https://redirect.github.com/vercel/next.js/issues/26697) - Simplify `next-dev-server` implementation: [#26230](https://redirect.github.com/vercel/next.js/issues/26230) - Move code shared between server/client to "shared" folder: [#26734](https://redirect.github.com/vercel/next.js/issues/26734) - Move next-server directory files to server directory: [#26756](https://redirect.github.com/vercel/next.js/issues/26756) - Support new hydrate API in latest react 18 alpha release: [#26664](https://redirect.github.com/vercel/next.js/issues/26664) - Add upstream `max-age` to optimized image: [#26739](https://redirect.github.com/vercel/next.js/issues/26739) - Fix blurred image position when using objectPosition: [#26590](https://redirect.github.com/vercel/next.js/issues/26590) - Leverage blocked page for \_error: [#26748](https://redirect.github.com/vercel/next.js/issues/26748) - fix: detect loop in client error page: [#26567](https://redirect.github.com/vercel/next.js/issues/26567) - Add `onLoadingComplete()` prop to Image component: [#26824](https://redirect.github.com/vercel/next.js/issues/26824) - Add "Vary: Accept" header to /\_next/image responses: [#26788](https://redirect.github.com/vercel/next.js/issues/26788) - Add additional tests for image type detection: [#26832](https://redirect.github.com/vercel/next.js/issues/26832) - Fix immutable header for image with static import & unoptimized: [#26836](https://redirect.github.com/vercel/next.js/issues/26836) - Make sure 404 pages do not get cached by a CDN when using next start: [#24983](https://redirect.github.com/vercel/next.js/issues/24983) - Don't emit duplicate image files: [#26843](https://redirect.github.com/vercel/next.js/issues/26843) - Warn when response body is larger than 5mb: [#26831](https://redirect.github.com/vercel/next.js/issues/26831) - Fix: added the key property to the pre next scripts: [#26646](https://redirect.github.com/vercel/next.js/issues/26646) - Ensure API route errors are propagated in minimal mode: [#26875](https://redirect.github.com/vercel/next.js/issues/26875) - 5MB -> 4MB body size limit: [#26887](https://redirect.github.com/vercel/next.js/issues/26887) - \[ESLint] Update default `.eslintrc` file created to have `.json` format: [#26884](https://redirect.github.com/vercel/next.js/issues/26884) - Refactor decode failures: [#26899](https://redirect.github.com/vercel/next.js/issues/26899) - Add initial `ResponsePayload` support: [#26938](https://redirect.github.com/vercel/next.js/issues/26938) - Fix typo in route-loader: [#26942](https://redirect.github.com/vercel/next.js/issues/26942) - More explicit typing for `IncrementalCache` API: [#26941](https://redirect.github.com/vercel/next.js/issues/26941) - Fix merge issue and use `respondWith`: [#26961](https://redirect.github.com/vercel/next.js/issues/26961) - (next/image): Merge query string params in imgix loader: [#26719](https://redirect.github.com/vercel/next.js/issues/26719) - Fix: (rewrites) incorrect parsing of destination query: [#26619](https://redirect.github.com/vercel/next.js/issues/26619) - Fix forward slash encoding while interpolating: [#26963](https://redirect.github.com/vercel/next.js/issues/26963) - update webpack to 5.43.0: [#26979](https://redirect.github.com/vercel/next.js/issues/26979) - Rename `next/script` interface Props to ScriptProps: [#26990](https://redirect.github.com/vercel/next.js/issues/26990) - Don't lazy-load already-loaded image in client-side transition: [#26968](https://redirect.github.com/vercel/next.js/issues/26968) - Loosen `next/image` TS types for `width` and `height`: [#26991](https://redirect.github.com/vercel/next.js/issues/26991) - Add `dangerously-unoptimized` loader for next/image: [#26847](https://redirect.github.com/vercel/next.js/issues/26847) - Fix hash change events not firing with i18n: [#26994](https://redirect.github.com/vercel/next.js/issues/26994) - Loosen `next/image` TS types for `src`: [#26996](https://redirect.github.com/vercel/next.js/issues/26996) - Provide Next.js postcss version to cssnano-simple: [#26952](https://redirect.github.com/vercel/next.js/issues/26952) - Rename next/image `dangerously-unoptimized` to `custom` and warn when applicable: [#26998](https://redirect.github.com/vercel/next.js/issues/26998) - Add newline to the end of `next-env.d.ts`: [#27028](https://redirect.github.com/vercel/next.js/issues/27028) - Add performance tracing for next-image-loader: [#27043](https://redirect.github.com/vercel/next.js/issues/27043) - Include message body in redirect responses: [#25257](https://redirect.github.com/vercel/next.js/issues/25257) - add support for esm externals: [#27069](https://redirect.github.com/vercel/next.js/issues/27069) - Enhance `next dev` performance with placeholder=blur: [#27061](https://redirect.github.com/vercel/next.js/issues/27061) - Add batching to zipkin reporter: [#27082](https://redirect.github.com/vercel/next.js/issues/27082) - Bind sendBeacon to navigator: [#26601](https://redirect.github.com/vercel/next.js/issues/26601) - Fall back to fallbackSend when send is false: [#27113](https://redirect.github.com/vercel/next.js/issues/27113) - Upgrades `web-vitals` to v1.1.2.: [#25272](https://redirect.github.com/vercel/next.js/issues/25272) - Prevent timeout when loading routes in development: [#25749](https://redirect.github.com/vercel/next.js/issues/25749) - Workaround for Node.js 16+ on Apple Silicon M1: [#27031](https://redirect.github.com/vercel/next.js/issues/27031) - Replace `withCoalescedInvoke` with `ResponseCache`: [#26997](https://redirect.github.com/vercel/next.js/issues/26997) - Add some missing fields to the NextConfig type: [#27126](https://redirect.github.com/vercel/next.js/issues/27126) - Update redirect regexes to not match \_next: [#27143](https://redirect.github.com/vercel/next.js/issues/27143) - Bump babel target to Node.js 12: [#27147](https://redirect.github.com/vercel/next.js/issues/27147) - Use SWC to compile Next.js core server files: [#27167](https://redirect.github.com/vercel/next.js/issues/27167) - Fix css minify incorrectly duplicating variables: [#27150](https://redirect.github.com/vercel/next.js/issues/27150) - Fix gsp generation with file extension: [#27144](https://redirect.github.com/vercel/next.js/issues/27144) - Add `minimumCacheTTL` config for Image Optimization: [#27200](https://redirect.github.com/vercel/next.js/issues/27200) - Fix Script beforeInteractive on navigation: [#26995](https://redirect.github.com/vercel/next.js/issues/26995) - improve static generation UX: [#27171](https://redirect.github.com/vercel/next.js/issues/27171) - Add warning for large number of routes: [#27214](https://redirect.github.com/vercel/next.js/issues/27214) - Add x-forward headers to external rewrites: [#17557](https://redirect.github.com/vercel/next.js/issues/17557) - \[ESLint] Remove error when file patterns are unmatched + ESLint setup changes: [#27119](https://redirect.github.com/vercel/next.js/issues/27119) - Fix inline scripts being duplicated when used with `next/script` component: [#27218](https://redirect.github.com/vercel/next.js/issues/27218) - Fix `minimumCacheTTL` so it doesn't affect browser caching: [#27307](https://redirect.github.com/vercel/next.js/issues/27307) - Fix default server host value causing issues on Windows: [#27306](https://redirect.github.com/vercel/next.js/issues/27306) - Fix `placeholder=blur` inside `