chore(deps): update dependency next to v15.5.15 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	15.5.9 → 15.5.15

---

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

GHSA-h25m-26qc-wcjf

More information

Details

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
• https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf
• https://nvd.nist.gov/vuln/detail/CVE-2026-23864
• https://vercel.com/changelog/summary-of-cve-2026-23864
• https://github.com/advisories/GHSA-h25m-26qc-wcjf

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

CVE-2025-59471 / GHSA-9g9p-9gw9-jx7f

More information

Details

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
• https://nvd.nist.gov/vuln/detail/CVE-2025-59471
• https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
• https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
• https://github.com/vercel/next.js/releases/tag/v15.5.10
• https://github.com/vercel/next.js/releases/tag/v16.1.5
• https://github.com/advisories/GHSA-9g9p-9gw9-jx7f

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Next.js: HTTP request smuggling in rewrites

CVE-2026-29057 / GHSA-ggv3-7p47-pfv8

More information

Details

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

Patches

The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path.

Workarounds

If upgrade is not immediately possible:

• Block chunked DELETE/OPTIONS requests on rewritten routes at your edge/proxy.
• Enforce authentication/authorization on backend routes per our security guidance.

Severity

• CVSS Score: 6.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
• https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
• https://github.com/vercel/next.js/releases/tag/v15.5.13
• https://github.com/vercel/next.js/releases/tag/v16.1.7
• https://nvd.nist.gov/vuln/detail/CVE-2026-29057
• https://github.com/advisories/GHSA-ggv3-7p47-pfv8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Next.js: Unbounded next/image disk cache growth can exhaust storage

CVE-2026-27980 / GHSA-3x4c-7xq6-9pq8

More information

Details

Summary

The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.

Impact

An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.

Workarounds

If upgrade is not immediately possible:

• Periodically clean .next/cache/images.
• Reduce variant cardinality (e.g., tighten values for images.localPatterns, images.remotePatterns, and images.qualities)

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8
• https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd
• https://github.com/vercel/next.js/releases/tag/v16.1.7
• https://nvd.nist.gov/vuln/detail/CVE-2026-27980
• https://github.com/advisories/GHSA-3x4c-7xq6-9pq8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Next.js has a Denial of Service with Server Components

GHSA-q4gf-8mx6-v5v3

More information

Details

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this changelog.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3
• https://vercel.com/changelog/summary-of-cve-2026-23869
• https://github.com/advisories/GHSA-q4gf-8mx6-v5v3

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

vercel/next.js (next)

v15.5.15

Compare Source

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summary-of-cve-2026-23869

v15.5.14

Compare Source

v15.5.13

Compare Source

v15.5.12

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

• fix unlock in publish-native

This is a re-release of v15.5.11 applying the turbopack changes.

v15.5.11

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Tracing: Fix memory leak in span map (#​85529)
• fix: ensure LRU cache items have minimum size of 1 to prevent unbounded growth (#​89134)
• Turbopack: fix NFT tracing of sharp 0.34 (#​82340)
• Turbopack: support pattern into exports field (#​82757)
• NFT tracing fixes (#​84155 and #​85323)
• Turbopack: validate CSS without computing all paths (#​83810)
• feat: implement LRU cache with invocation ID scoping for minimal mode response cache (#​89129)

Credits

Huge thanks to @​timneutkens, @​mischnic, @​ztanner, and @​wyattjoh for helping!

v15.5.10

Compare Source

Please refer the following changelogs for more information about this security release:

• https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
• https://vercel.com/changelog/summary-of-cve-2026-23864

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate using a curated preset maintained by . View repository job log here

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
preview-kit-next-app-router	Ready	Preview, Comment	May 12, 2026 3:37pm
preview-kit-next-pages-router	Ready	Preview, Comment	May 12, 2026 3:37pm
preview-kit-remix	Ready	Preview, Comment	May 12, 2026 3:37pm
preview-kit-test-studio	Ready	Preview, Comment	May 12, 2026 3:37pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​next@​15.5.9 ⏵ 15.5.15	-13	+5	+1
	npm/​@​types/​react@​19.2.9 ⏵ 19.2.14	+1		+1
	npm/​isbot@​5.1.33 ⏵ 5.1.40				+2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm next is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: apps/next-app-router/package.json → npm/next@15.5.15 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@15.5.15. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report