HeroDevs

NES for Next.js 12.3.x

NES Release Notes

12.3.10 (NES)

Notes

  • This release implements a new package naming scheme for the Next.js packages. More information about the change can be found in the NES Decoupled Namespace Specification.
  • Full Versions:
    • @neverendingsupport/next@12.3.7-next-12.3.10
    • @neverendingsupport/next-bundle-analyzer@12.3.7-next-12.3.10
    • @neverendingsupport/next-env@12.3.7-next-12.3.10
    • @neverendingsupport/next-eslint-plugin-next@12.3.7-next-12.3.10
    • @neverendingsupport/next-mdx@12.3.7-next-12.3.10
    • @neverendingsupport/next-polyfill-module@12.3.7-next-12.3.10
    • @neverendingsupport/next-polyfill-nomodule@12.3.7-next-12.3.10
    • @neverendingsupport/next-react-dev-overlay@12.3.7-next-12.3.10
    • @neverendingsupport/next-react-refresh-utils@12.3.7-next-12.3.10
    • @neverendingsupport/eslint-config-next@12.3.7-next-12.3.10

Bug Fixes

  • This release backports remediations for the following:
    • a High Severity Authorization Bypass vulnerability - CVE-2024-51479
    • a High Severity Denial of Service vulnerability - CVE-2024-47831
    • a Low Severity Cache Poisoning vulnerability - CVE-2025-32421

      Note: This version removes the potential cache poisoning attack vector of CVE-2025-32421 by stripping the x-now-route-matches header from incoming requests. This header is not part of the public Next.js api, as explained by Vercel

      ⚠️ Self-hosted Next.js deployments should additionally implement CDN-level protection by stripping the x-now-route-matches header at the CDN layer for defense in depth.

12.3.9 (NES)

Notes

  • Adjusted product name to comply with legal requirements.
  • Full Version: 12.3.7-next-12.3.9

12.3.8 (NES)

Notes

  • This release contains no functional change from the OSS Next.js v12.3.7.
  • This release mainlines OSS v12.3.7 into NES v12.3.8.
  • Full Version: 12.3.7-next-12.3.8
Release Notes
Latest updates and changes for NES for Next.js
Previous Article