Skip to content
This repository was archived by the owner on Jun 18, 2026. It is now read-only.

security: bump next to 14.2.35 (CVE-2025-29927)#45

Open
Florian Kraft (floriank) wants to merge 1 commit into
contentful:mainfrom
floriank:security/staff-1220-next-cve-2025-29927
Open

security: bump next to 14.2.35 (CVE-2025-29927)#45
Florian Kraft (floriank) wants to merge 1 commit into
contentful:mainfrom
floriank:security/staff-1220-next-cve-2025-29927

Conversation

@floriank

@floriank Florian Kraft (floriank) commented Jun 18, 2026

Copy link
Copy Markdown

Summary

Bumps next from 14.2.4 to 14.2.35 to patch the Next.js middleware authorization bypass vulnerability.

Test plan

  • npm ci succeeds locally on the regenerated lockfile
  • npm ls next reports next@14.2.35
  • Reviewer sanity check that no other dep moved in the lockfile diff (only next and its transitive @next/*/@swc/* siblings should change)

Patches the Next.js middleware authorization bypass tracked in
GHSA-f82v-jwr5-mffw / CVE-2025-29927 by bumping next from 14.2.4 to
14.2.35 (latest 14.2.x patch).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@wiz-inc-38d59fb8d7

Copy link
Copy Markdown

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities 10 High 15 Medium 4 Low
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations -
SAST Finding SAST Findings -
Software Management Finding Software Management Findings -
Total 10 High 15 Medium 4 Low

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

Comment thread package.json
"eslint-config-next": "^14.2.4",
"inquirer": "^8.2.6",
"next": "latest",
"next": "14.2.35",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High Vulnerability Finding

The following vulnerabilities impact next versions <15.5.16: CVE-2025-59471, CVE-2026-23864, CVE-2026-23869, CVE-2026-23870, CVE-2026-27980, CVE-2026-29057, CVE-2026-44572, CVE-2026-44573, CVE-2026-44576, CVE-2026-44577, CVE-2026-44578, CVE-2026-44580, CVE-2026-44581, CVE-2026-44582.

These can be remediated by updating to version 15.5.16 or higher.

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

Suggested change
"next": "14.2.35",
"next": "15.5.16",

Comment thread package-lock.json
"version": "14.2.4",
"resolved": "https://registry.npmjs.org/next/-/next-14.2.4.tgz",
"integrity": "sha512-R8/V7vugY+822rsQGQCjoLhMuC9oFj9SOi4Cl4b2wjDrseD0LRZ10W7R6Czo4w9ZznVSshKjuIomsRjvm9EKJQ==",
"version": "14.2.35",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High Vulnerability Finding

More Details

Vulnerabilities [next:14.2.35]

Name Severity Source Fixed version CVSS score CVSS exploitability score Has public exploit Has CISA KEV exploit
CVE-2025-59471 Medium https://github.com/advisories/GHSA-9g9p-9gw9-jx7f 15.5.10 7.5 3.9 false false
CVE-2026-23864 High https://github.com/advisories/GHSA-h25m-26qc-wcjf 15.0.8 7.5 3.9 true false
CVE-2026-23869 High https://github.com/advisories/GHSA-q4gf-8mx6-v5v3 15.5.15 7.5 3.9 true false
CVE-2026-23870 High https://github.com/advisories/GHSA-8h8q-6873-q5fj 15.5.16 7.5 3.9 true false
CVE-2026-27980 Medium https://github.com/advisories/GHSA-3x4c-7xq6-9pq8 15.5.14 6.9 3.9 false false
CVE-2026-29057 Medium https://github.com/advisories/GHSA-ggv3-7p47-pfv8 15.5.13 6.3 3.9 false false
CVE-2026-44572 Low https://github.com/advisories/GHSA-3g8h-86w9-wvmq 15.5.16 5.9 2.2 true false
CVE-2026-44573 High https://github.com/advisories/GHSA-36qx-fr4f-26g5 15.5.16 7.5 3.9 true false
CVE-2026-44576 Medium https://github.com/advisories/GHSA-wfc6-r584-vfw7 15.5.16 5.4 2.2 true false
CVE-2026-44577 Medium https://github.com/advisories/GHSA-h64f-5h5j-jqjh 15.5.16 5.9 2.2 true false
CVE-2026-44578 High https://github.com/advisories/GHSA-c4j6-fc7j-m34r 15.5.16 8.6 3.9 true false
CVE-2026-44580 Medium https://github.com/advisories/GHSA-gx5p-jg67-6x7h 15.5.16 6.1 2.8 true false
CVE-2026-44581 Medium https://github.com/advisories/GHSA-ffhc-5mcf-pf4q 15.5.16 4.7 1.6 true false
CVE-2026-44582 Low https://github.com/advisories/GHSA-vfv6-92ff-j949 15.5.16 3.7 2.2 true false

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).


To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant