HeroDevs

NES for Next.js 12.3.x

NES Release Notes

12.3.11 (NES)

Notes

  • This release backports remediations for the following:

Bug Fixes

  • next/image-optimizer:
    • (CVE-2025-55173) Improve image optimizer logic to avoid falling back to the upstream's Content-Type header when magic number detection fails. This ensures that responses are only cached when confidently identified as image content and do not mistakenly reuse cache keys for user-specific responses.
    • (CVE-2025-57752) Improve image optimizer by ensuring request headers aren't forwarded to the request that is proxied to the image endpoint. This ensures that the image endpoint cannot be used to serve images that require authorization data and thus cannot be cached.
  • Full Versions:
    • @neverendingsupport/next@12.3.7-next-12.3.11
    • @neverendingsupport/next-bundle-analyzer@12.3.7-next-12.3.11
    • @neverendingsupport/next-env@12.3.7-next-12.3.11
    • @neverendingsupport/next-eslint-plugin-next@12.3.7-next-12.3.11
    • @neverendingsupport/next-mdx@12.3.7-next-12.3.11
    • @neverendingsupport/next-polyfill-module@12.3.7-next-12.3.11
    • @neverendingsupport/next-polyfill-nomodule@12.3.7-next-12.3.11
    • @neverendingsupport/next-react-dev-overlay@12.3.7-next-12.3.11
    • @neverendingsupport/next-react-refresh-utils@12.3.7-next-12.3.11
    • @neverendingsupport/eslint-config-next@12.3.7-next-12.3.11

12.3.10 (NES)

Notes

  • This release implements a new package naming scheme for the Next.js packages. More information about the change can be found in the NES Decoupled Namespace Specification.
  • Full Versions:
    • @neverendingsupport/next@12.3.7-next-12.3.10
    • @neverendingsupport/next-bundle-analyzer@12.3.7-next-12.3.10
    • @neverendingsupport/next-env@12.3.7-next-12.3.10
    • @neverendingsupport/next-eslint-plugin-next@12.3.7-next-12.3.10
    • @neverendingsupport/next-mdx@12.3.7-next-12.3.10
    • @neverendingsupport/next-polyfill-module@12.3.7-next-12.3.10
    • @neverendingsupport/next-polyfill-nomodule@12.3.7-next-12.3.10
    • @neverendingsupport/next-react-dev-overlay@12.3.7-next-12.3.10
    • @neverendingsupport/next-react-refresh-utils@12.3.7-next-12.3.10
    • @neverendingsupport/eslint-config-next@12.3.7-next-12.3.10

Bug Fixes

  • This release backports remediations for the following:
    • a High Severity Authorization Bypass vulnerability - CVE-2024-51479
    • a High Severity Denial of Service vulnerability - CVE-2024-47831
    • a Low Severity Cache Poisoning vulnerability - CVE-2025-32421

      Note: This version removes the potential cache poisoning attack vector of CVE-2025-32421 by stripping the x-now-route-matches header from incoming requests. This header is not part of the public Next.js api, as explained by Vercel

      ⚠️ Self-hosted Next.js deployments should additionally implement CDN-level protection by stripping the x-now-route-matches header at the CDN layer for defense in depth.

12.3.9 (NES)

Notes

  • Adjusted product name to comply with legal requirements.
  • Full Version: 12.3.7-next-12.3.9

12.3.8 (NES)

Notes

  • This release contains no functional change from the OSS Next.js v12.3.7.
  • This release mainlines OSS v12.3.7 into NES v12.3.8.
  • Full Version: 12.3.7-next-12.3.8
Release Notes
Latest updates and changes for NES for Next.js
Previous Article