Skip to content

[Aikido] Fix security issue in next via minor version upgrade from 14.2.24 to 14.2.32 in frontend #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Aikido] Fix security issue in next via minor version upgrade from 14.2.24 to 14.2.32 in frontend #15

wants to merge 1 commit into from

Conversation

@aikido-autofix
Copy link

@aikido-autofix aikido-autofix bot commented Oct 8, 2025

This PR will resolve the following CVEs:

CVE ID Severity Description 
CVE-2025-29927
 
🚨 CRITICAL
 Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a s... 
CVE-2025-57822
 
HIGH
 Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has ... 
CVE-2025-57752
 
MEDIUM
 Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authori... 
CVE-2025-55173
 
MEDIUM
 Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary con... 
CVE-2025-48068
 
MEDIUM
 Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local...

Related Tasks:

@aikido-autofix aikido-autofix bot added bug Something isn't working documentation Improvements or additions to documentation labels Oct 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant