Next.js 12.3.x Release Notes

Notes

• Full package name(s) and version(s):
  • @neverendingsupport/next@12.3.7-next-12.3.12
  • @neverendingsupport/next-bundle-analyzer@12.3.7-next-12.3.12
  • @neverendingsupport/next-env@12.3.7-next-12.3.12
  • @neverendingsupport/next-eslint-plugin-next@12.3.7-next-12.3.12
  • @neverendingsupport/next-mdx@12.3.7-next-12.3.12
  • @neverendingsupport/next-polyfill-module@12.3.7-next-12.3.12
  • @neverendingsupport/next-polyfill-nomodule@12.3.7-next-12.3.12
  • @neverendingsupport/next-react-dev-overlay@12.3.7-next-12.3.12
  • @neverendingsupport/next-react-refresh-utils@12.3.7-next-12.3.12
  • @neverendingsupport/eslint-config-next@12.3.7-next-12.3.12

Security Fixes

• next/image-optimizer:
  • Add maximum response body size enforcement to prevent excessive memory usage from oversized remote images. The optimizer now implements two-stage validation: Content-Length header checks reject large responses before buffering, and post-buffer validation catches cases where Content-Length is missing or dishonest.
    • This fixes a medium-severity Denial of Service (DoS) vulnerability (CVE-2025-59471).

Breaking Changes

• next/image-optimizer:
  • The image optimizer now enforces a maximum response body size of 50MB for remote images. Requests for images that exceed this limit will be rejected with a 413 - Content Too Large response status code. This change prevents excessive memory usage and potential DoS attacks from oversized remote images.
  • This limit can be configured in applications by setting the MaxResponseBodySize property to a custom value in bytes in a next.config.js file.

    // next.config.js
    module.exports = {
      images: {
        maximumResponseBody: 25_000, // bytes
      },
    }
    

Notes

• Full package name(s) and version(s):
  • @neverendingsupport/next@12.3.7-next-12.3.11
  • @neverendingsupport/next-bundle-analyzer@12.3.7-next-12.3.11
  • @neverendingsupport/next-env@12.3.7-next-12.3.11
  • @neverendingsupport/next-eslint-plugin-next@12.3.7-next-12.3.11
  • @neverendingsupport/next-mdx@12.3.7-next-12.3.11
  • @neverendingsupport/next-polyfill-module@12.3.7-next-12.3.11
  • @neverendingsupport/next-polyfill-nomodule@12.3.7-next-12.3.11
  • @neverendingsupport/next-react-dev-overlay@12.3.7-next-12.3.11
  • @neverendingsupport/next-react-refresh-utils@12.3.7-next-12.3.11
  • @neverendingsupport/eslint-config-next@12.3.7-next-12.3.11

Security Fixes

• next/image-optimizer:
  • Improve image optimizer logic to avoid falling back to the upstream's Content-Type header when magic number detection fails. This ensures that responses are only cached when confidently identified as image content and do not mistakenly reuse cache keys for user-specific responses.
    • This fixes a medium-severity Content Injection vulnerability (CVE-2025-55173).
  • Improve image optimizer by ensuring request headers aren't forwarded to the request that is proxied to the image endpoint. This ensures that the image endpoint cannot be used to serve images that require authorization data and thus cannot be cached.
    • This fixes a medium-severity Cache Poisoning vulnerability (CVE-2025-57752).

Notes

• This release implements a new package naming scheme for the Next.js packages. More information about the change can be found in the NES Decoupled Namespace Specification.
• Full package name(s) and version(s):
  • @neverendingsupport/next@12.3.7-next-12.3.10
  • @neverendingsupport/next-bundle-analyzer@12.3.7-next-12.3.10
  • @neverendingsupport/next-env@12.3.7-next-12.3.10
  • @neverendingsupport/next-eslint-plugin-next@12.3.7-next-12.3.10
  • @neverendingsupport/next-mdx@12.3.7-next-12.3.10
  • @neverendingsupport/next-polyfill-module@12.3.7-next-12.3.10
  • @neverendingsupport/next-polyfill-nomodule@12.3.7-next-12.3.10
  • @neverendingsupport/next-react-dev-overlay@12.3.7-next-12.3.10
  • @neverendingsupport/next-react-refresh-utils@12.3.7-next-12.3.10
  • @neverendingsupport/eslint-config-next@12.3.7-next-12.3.10

Security Fixes

• next/image-optimizer:
  • Added validation to detect and reject recursive URLs in the Image Optimization endpoint. Includes defensive decoding of URL pathnames to properly detect encoded recursion attempts, preventing resource exhaustion.
    • This fixes a high-severity Denial of Service vulnerability (CVE-2024-47831).
• next/server:
  • Added locale parameter validation to prevent authorization bypass through malicious __nextLocale and __nextDefaultLocale query parameters. Validation happens at two critical points in the request lifecycle to prevent bypass through middleware parameter reintroduction.
    • This fixes a high-severity Authorization Bypass vulnerability (CVE-2024-51479).
  • Strip the x-now-route-matches header from all incoming requests to prevent race condition causing cache poisoning where incorrect content types are cached and served to users.
    • This fixes a low-severity Cache Poisoning vulnerability (CVE-2025-32421).

      Note: This version removes the potential cache poisoning attack vector of CVE-2025-32421 by stripping the x-now-route-matches header from incoming requests. This header is not part of the public Next.js API, as explained by Vercel

      ⚠️ Self-hosted Next.js deployments should additionally implement CDN-level protection by stripping the x-now-route-matches header at the CDN layer for defense in depth.