https://spaceraccoon.github.io/vulnerability-spoiler-alert Vulnerability alerts for vercel/next.js en-us Fri, 17 Apr 2026 01:52:35 GMT https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/81 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/81 Tue, 17 Mar 2026 23:13:17 GMT Before this patch, Next.js development servers only warned (but did not block) cross-origin requests to internal dev assets and endpoints (/_next/*, /__nextjs*) when `allowedDevOrigins` was not configured. An attacker could craft a malicious webpage that loads or interacts with internal dev-only resources (HMR WebSocket, error feedback endpoints, internal chunks) from any origin. The patch changes the default behavior from warn-only to blocking with a 403 response, preventing unauthorized cross-origin access to dev server internals. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/77 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/77 Tue, 17 Mar 2026 02:21:23 GMT The commit patches the compiled `http-proxy` / `follow-redirects` library bundled in Next.js, referencing security advisory GHSA-ggv3-7p47-pfv8. The vulnerability involves improper handling of HTTP redirects in the `follow-redirects` library, which could allow an attacker to manipulate redirect targets to leak sensitive request headers (such as Authorization) to unintended hosts or bypass security controls via crafted redirect responses. The patch updates the compiled bundle with fixes to the redirect handling logic. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/76 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/76 Tue, 17 Mar 2026 02:21:01 GMT Before the patch, when the `Origin` header was set to the string `'null'` (which browsers send from privacy-sensitive contexts like sandboxed iframes), Next.js would skip the CSRF origin check entirely because the code treated `'null'` as a missing/invalid origin and fell through without validation. This allowed an attacker to embed a sandboxed iframe that submits a Server Action cross-origin with user credentials (cookies) attached, bypassing CSRF protection. The patch now treats `'null'` as a valid but opaque origin and checks it against the `allowedOrigins` allowlist, blocking unauthorized cross-origin Server Action submissions from sandboxed contexts. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/75 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/75 Tue, 17 Mar 2026 00:49:23 GMT Before the patch, WebSocket connections to Next.js dev server endpoints (e.g., /_next/webpack-hmr) were accepted from privacy-sensitive origins (e.g., pages served with 'sandbox' CSP that sets origin to null). The old code only blocked requests when rawOrigin was truthy AND not equal to 'null', meaning requests with origin header 'null' (sent by sandboxed iframes/pages) bypassed origin validation entirely. The patch fixes this by treating a 'null' origin as a defined but non-allowed origin, causing such requests to be blocked. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/57 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/57 Thu, 26 Feb 2026 14:22:19 GMT Before the patch, `ProcessEnv::read_all()` returned a serializable `EnvMap`, which could be automatically persisted into Turbopack/Next.js' on-disk persistent cache. This meant any process environment variable (including secrets like API keys and tokens) could be written to disk and later recovered by anyone with read access to the cache directory (e.g., another local user, CI artifact consumers, or a compromised build agent). The patch introduces `TransientEnvMap` with `serialization = "none"` and changes `read_all()` to return it, preventing env vars from being persisted and forcing them to be re-read from the process environment after cache restore. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/48 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/48 Mon, 23 Feb 2026 17:06:28 GMT The code had a concurrency bug where the follower's aggregation number was read without proper locking, allowing the inner-vs-follower classification decision to be made on stale data if the aggregation number changed concurrently. This could lead to incorrect task classification and potential data corruption in the aggregation system. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/45 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/45 Sat, 21 Feb 2026 04:12:12 GMT The script accepts user-provided file paths without validation and directly converts them to file URLs, allowing attackers to access arbitrary files on the system. The patch adds proper path handling using pathToFileURL() which normalizes paths and prevents directory traversal attacks. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/42 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/42 Fri, 20 Feb 2026 04:55:06 GMT The unhandled rejection filter module was being bundled twice, causing mutual recursion when handling unhandled Promise rejections. Each instance captured the other's handler, creating an infinite loop that would overflow the stack and crash the server on any unhandled rejection. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/32 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/32 Wed, 18 Feb 2026 17:06:36 GMT The code had a missing size check for postponed request bodies in self-hosted setups, allowing attackers to send arbitrarily large payloads that would consume server memory and potentially crash the application. The patch ensures maxPostponedStateSize is consistently enforced across all code paths that buffer postponed bodies. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/17 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/17 Fri, 13 Feb 2026 19:07:44 GMT The feature allows arbitrary webpack loader execution through import attributes without proper validation or sandboxing. An attacker can specify malicious loader code that gets executed during the build process, potentially leading to remote code execution on the build server. critical unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/6 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/6 Tue, 10 Feb 2026 13:16:21 GMT The code was directly accessing the `$typeof` property on potentially untrusted objects without proper validation, allowing attackers to exploit prototype pollution to inject malicious `$typeof` properties. The patch introduces a `readReactElementTypeof` function that uses `hasOwnProperty.call()` to safely check for the property's existence on the object itself rather than the prototype chain. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/5 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/5 Tue, 10 Feb 2026 13:14:12 GMT The code performed integer division without checking for division by zero, which could cause a panic and crash the application. The patch replaces direct division with checked_div() to handle zero divisors safely. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/4 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/4 Tue, 10 Feb 2026 13:11:00 GMT The code incorrectly used max() instead of min() to clamp worker counts, causing all systems to be treated as having 64+ cores and potentially overflowing usize on systems with many actual cores. This could lead to memory exhaustion or application crashes. medium unverified