security: bump next to 14.2.35 (CVE-2025-29927)#45
security: bump next to 14.2.35 (CVE-2025-29927)#45Florian Kraft (floriank) wants to merge 1 commit into
Conversation
Patches the Next.js middleware authorization bypass tracked in GHSA-f82v-jwr5-mffw / CVE-2025-29927 by bumping next from 14.2.4 to 14.2.35 (latest 14.2.x patch). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
| "eslint-config-next": "^14.2.4", | ||
| "inquirer": "^8.2.6", | ||
| "next": "latest", | ||
| "next": "14.2.35", |
There was a problem hiding this comment.
The following vulnerabilities impact next versions <15.5.16: CVE-2025-59471, CVE-2026-23864, CVE-2026-23869, CVE-2026-23870, CVE-2026-27980, CVE-2026-29057, CVE-2026-44572, CVE-2026-44573, CVE-2026-44576, CVE-2026-44577, CVE-2026-44578, CVE-2026-44580, CVE-2026-44581, CVE-2026-44582.
These can be remediated by updating to version 15.5.16 or higher.
To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason
If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).
To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate
| "next": "14.2.35", | |
| "next": "15.5.16", |
| "version": "14.2.4", | ||
| "resolved": "https://registry.npmjs.org/next/-/next-14.2.4.tgz", | ||
| "integrity": "sha512-R8/V7vugY+822rsQGQCjoLhMuC9oFj9SOi4Cl4b2wjDrseD0LRZ10W7R6Czo4w9ZznVSshKjuIomsRjvm9EKJQ==", | ||
| "version": "14.2.35", |
There was a problem hiding this comment.
More Details
Vulnerabilities [next:14.2.35]
| Name | Severity | Source | Fixed version | CVSS score | CVSS exploitability score | Has public exploit | Has CISA KEV exploit |
|---|---|---|---|---|---|---|---|
CVE-2025-59471 |
https://github.com/advisories/GHSA-9g9p-9gw9-jx7f |
15.5.10 |
7.5 | 3.9 | false | false | |
CVE-2026-23864 |
https://github.com/advisories/GHSA-h25m-26qc-wcjf |
15.0.8 |
7.5 | 3.9 | true | false | |
CVE-2026-23869 |
https://github.com/advisories/GHSA-q4gf-8mx6-v5v3 |
15.5.15 |
7.5 | 3.9 | true | false | |
CVE-2026-23870 |
https://github.com/advisories/GHSA-8h8q-6873-q5fj |
15.5.16 |
7.5 | 3.9 | true | false | |
CVE-2026-27980 |
https://github.com/advisories/GHSA-3x4c-7xq6-9pq8 |
15.5.14 |
6.9 | 3.9 | false | false | |
CVE-2026-29057 |
https://github.com/advisories/GHSA-ggv3-7p47-pfv8 |
15.5.13 |
6.3 | 3.9 | false | false | |
CVE-2026-44572 |
https://github.com/advisories/GHSA-3g8h-86w9-wvmq |
15.5.16 |
5.9 | 2.2 | true | false | |
CVE-2026-44573 |
https://github.com/advisories/GHSA-36qx-fr4f-26g5 |
15.5.16 |
7.5 | 3.9 | true | false | |
CVE-2026-44576 |
https://github.com/advisories/GHSA-wfc6-r584-vfw7 |
15.5.16 |
5.4 | 2.2 | true | false | |
CVE-2026-44577 |
https://github.com/advisories/GHSA-h64f-5h5j-jqjh |
15.5.16 |
5.9 | 2.2 | true | false | |
CVE-2026-44578 |
https://github.com/advisories/GHSA-c4j6-fc7j-m34r |
15.5.16 |
8.6 | 3.9 | true | false | |
CVE-2026-44580 |
https://github.com/advisories/GHSA-gx5p-jg67-6x7h |
15.5.16 |
6.1 | 2.8 | true | false | |
CVE-2026-44581 |
https://github.com/advisories/GHSA-ffhc-5mcf-pf4q |
15.5.16 |
4.7 | 1.6 | true | false | |
CVE-2026-44582 |
https://github.com/advisories/GHSA-vfv6-92ff-j949 |
15.5.16 |
3.7 | 2.2 | true | false |
To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason
If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).
To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate
Summary
Bumps
nextfrom14.2.4to14.2.35to patch the Next.js middleware authorization bypass vulnerability.package.jsonwas previously pinned tonext@latest; this change pins it to a specific safe14.2.xpatch line so the lockfile is reproducible.Test plan
npm cisucceeds locally on the regenerated lockfilenpm ls nextreportsnext@14.2.35nextand its transitive@next/*/@swc/*siblings should change)