Skip to content

fix(deps): update dependency next to v16.1.5 [security] #1884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
simonknittel merged 1 commit into from
Jan 28, 2026
Merged

fix(deps): update dependency next to v16.1.5 [security] #1884

simonknittel merged 1 commit into from
Jan 28, 2026

Conversation

@simonknittel
Copy link
Owner

@simonknittel simonknittel commented Jan 28, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
next (source) 16.1.4 -> 16.1.5 age confidence

GitHub Vulnerability Alerts

CVE-2025-59471

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

CVE-2025-59471 / GHSA-9g9p-9gw9-jx7f

More information

Details

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

vercel/next.js (next)

v16.1.5

Compare Source

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
https://vercel.com/changelog/summary-of-cve-2026-23864

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copilot AI review requested due to automatic review settings January 28, 2026 00:25
@vercel
Copy link

vercel bot commented Jan 28, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Review Updated (UTC)
sam Ignored Ignored Jan 28, 2026 0:25am

Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Next.js dependency from version 16.1.4 to 16.1.5 to address critical security vulnerabilities, specifically CVE-2025-59471 (DoS vulnerability in the Image Optimizer) and CVE-2026-23864.

Changes:

  • Updated Next.js dependency to patch security vulnerabilities related to image optimization and DoS attacks
Files not reviewed (1)
  • app/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 28, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@socket-security
Copy link

socket-security bot commented Jan 28, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​vitest/​coverage-v8@​3.2.4991007299100
Addedclsx@​2.1.11001009480100
Addedchange-case@​5.4.41001009480100
Addedcsv@​6.4.1991009981100
Added@​uidotdev/​usehooks@​2.4.11001009382100
Added@​vercel/​analytics@​1.6.199100838770
Addedcmdk@​1.1.110010010083100
Addedautoprefixer@​10.4.231001008984100
Added@​vercel/​speed-insights@​1.3.1991008687100
Added@​unleash/​nextjs@​1.6.29810010087100
Added@​xyflow/​react@​12.10.09710010091100
Addedalgoliasearch@​4.25.39910096100100

View full report

@simonknittel simonknittel merged commit 35d4636 into develop Jan 28, 2026
8 checks passed
@simonknittel simonknittel deleted the renovate-self-hosted/npm-next-vulnerability branch January 28, 2026 06:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simonknittel @renovate-bot