fix(deps): update dependency next to v16.0.7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next (source)	16.0.1 -> 16.0.7

GitHub Vulnerability Alerts

CVE-2025-48068

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

CVE-2025-57752

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

CVE-2025-55173

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

CVE-2025-57822

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

CVE-2025-32421

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

CVE-2025-66478

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

---

Release Notes

vercel/next.js (next)

v16.0.7

Compare Source

v16.0.6

Compare Source

v16.0.5

Compare Source

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix(nodejs-middleware): await for body cloning to be properly finalized (#​85418)

Credits

Huge thanks to @​lucasadrianof for helping!

v16.0.4

Compare Source

v16.0.3

Compare Source

Core Changes

• fix: Rspack throw error when using ForceCompleteRuntimePlugin: #​85221
• fix: build CLI output not displaying Proxy (Middleware) when nodejs runtime: #​85403
• fix: staleTimes.static should consistently enforce a 30s minimum: #​85479
• [turbopack] fix build of empty entries of pages: #​84873
• Cache the head separately from the route tree: #​84724
• Allow inspecting dev server on default port with next dev --inspect: #​85037
• Avoid proxying React modules through workUnitStore: #​85486
• fix: redirect should always return updated router state: #​85533
• Upgrade React from b4455a6e-20251027 to 4f931700-20251029: #​85518
• [turbopack] Move generation of cacheLife types out of the webpack plugin and into the dev bundler directly: #​85539
• Ensure user-space stack frame for 'use cache' in page/layout component: #​85519
• Update parallel routes in build-complete: #​85546
• fully remove clientSegmentCache flag: #​85541
• [turbopack] Support relative paths in turbopack source maps.: #​85146
• Release unnecessary memory on hydration finish: #​84967
• Preserve interception markers in parameter types: #​85526
• move segment cache entries to top level segment-cache dir: #​85542
• Upgrade React from 4f931700-20251029 to 561ee24d-20251101: #​85670
• [devtools] Remove title from preferences: #​85698
• Update font data: #​85708
• Don't invalidate hot reloader excessively during dev server boot: #​85732
• [codemod] fix: next-lint-to-eslint-cli did not handle 'next' plugin: #​85749
• Upgrade React from 561ee24d-20251101 to 67f7d47a-20251103: #​85762
• Tracing: Fix memory leak in span map: #​85529
• Fix documentation typo in refresh function: #​85696
• fix: eslint-config-next types was exporting to dist/src: #​85768
• Upgrade React from 67f7d47a-20251103 to f646e8ff-20251104: #​85772
• remove unused RSC payload property: #​85746
• [runtime prefetching]: fix runtime prefetching when deployed: #​85595
• Turbopack: next build --analyze: #​85197
• Build: Log amount of workers during static generation: #​85706
• Upgrade React from f646e8ff-20251104 to dd048c3b-20251105: #​85819
• Sync devFallbackParams when generateStaticParams change: #​85741
• chore: upgrade rspack 1.6.0: #​84210
• [mcp] get_routes mcp tool: #​85773
• Split each path param into a separate cache key : #​85758
• [turbopack] change server source maps in production to use relative paths: #​85576
• fix: skip collecting metadata for app-error in webpack: #​85892
• fix: support root span attributes with a custom server: #​85521
• fix isDynamicRSC condition when deployed: #​85919
• [turbopack] Make it possible to synchronously access native bindings: #​85787
• Upgrade React from dd048c3b-20251105 to fa50caf5-20251107: #​85906
• Fix telemetry event loss on build failures and server shutdown: #​85867
• Remove one stack frame from 'use cache' call stacks: #​85966
• Upgrade React from fa50caf5-20251107 to 52684925-20251110: #​85980
• Deployment adapter: fix metadata for "/" route: #​85820
• Enable React's default Transition indicator behind a flag: #​86000
• update routes-manifest to include whether app has pages routes: #​86051

Misc Changes

• chore: Add opt-level = s for not frequently used crates: #​85426
• [test] Deflake cache-components-allow-otel-spans: #​85466
• [test] Move remaining experimental.cacheLife: #​85467
• Turbopack: chore: Remove mopa dependency in turbo-tasks (2nd attempt): #​85286
• Update Proxy docs: #​85439
• [CNA] Do not prompt for Turbopack: #​85404
• Clean up new release process: #​85458
• Update E2E tests workflow: #​85485
• Update E2E deploy tests manifest: #​85483
• docs: example are incorrect async function exports only: #​85453
• [test] Handle CLI assertions where no "Compiling..." log is present: #​85499
• [test] Speed up refresh test: #​85505
• [test] Add test cases for dynamic caches without suspense boundaries: #​85500
• docs: Routes are wrapped w/ Activity in Cache Components: #​85309
• docs: GET handler behavior under cache components: #​85389
• [test] Avoid needless start/stop from using createSandbox: #​85507
• [test] Use --debug-build-paths instead of NEXT_PRIVATE_APP_PATHS: #​85504
• docs: revalidateTag requires second argument: #​85284
• Refactor GTM implementation to support google tag gateway: #​81011
• Update Rspack production test manifest: #​85494
• Update Rspack development test manifest: #​85495
• [docs] Fix a typo: #​85492
• [test] Regenerate tsconfig.json files: #​85515
• [Turbopack] clean up completion.rs a bit: #​84863
• [test] Remove maxRetries and hardError parameters: #​85536
• Turbopack: remove the .into() alias to .cell(): #​85516
• [test] Consolidate identical snapshots across different bundlers: #​85532
• [turbopack] Change where cells are created in resolve_raw to make cell allocation order deterministic.: #​85525
• Turbopack: Make tasks deterministic: #​85524
• [test] Separate act and assertions: #​85508
• [test] assert* -> waitFor* when the util is not instant: #​85450
• Turbopack: move whole_app_module_graphs to top level: #​84897
• [test] Bail on sending requests to Next.js instance if it's no longer available: #​85557
• [test] Deflake tests comparing two random numbers: #​85571
• [test] Disallow custom RegExp-like implementations in check: #​85537
• [test] Deflake prerender suite: #​85563
• Turbopack: chore: Remove some dead MagicAny serialization code from turbo_tasks::value: #​85577
• [test]: fix broken scroll restoration test: #​85599
• [test] Deflake nested after() tests: #​85566
• [test] Stop installing unused dependencies: #​85569
• [test] Consider test/integration/ in flake detection tests: #​85590
• Turbopack: more checks on verify_serialization: #​84952
• Turbopack: add track_caller to improve panics: #​85565
• Turbopack: add verify_determinism feature to check if tasks are deterministic: #​85559
• docs: cache life rework: #​85224
• Turbopack: fix hanging dev server and builds with fs cache: #​85606
• Turbopack: Fix compound assignment expression evaluation (#​85478): #​85593
• Turbopack: fix Scope holding Arc too long: #​85611
• [ci] Improve change detection logic in run-for-change script: #​85619
• [test] Ignore in deploy tests if a child process isn't available: #​85636
• Turbopack: add size_hint and len for Chunk iterator: #​85622
• [test]: move resume-data-cache to e2e test: #​85647
• Update Rspack development test manifest: #​85662
• Update Rspack production test manifest: #​85661
• Update Rspack production test manifest: #​85688
• Update Rspack development test manifest: #​85689
• [test] Deflake root-optional-revalidate: #​85584
• docs: fix generateImageMetadata example to use normal params object: #​85658
• Turbopack: Upgrade image crate: #​85084
• docs: update multi sitemap argumenmt type: #​85701
• [test] Move all files to .ts (6/6): #​85641
• Turbopack: add a batch add method to the storage: #​84270
• docs: recommend reverse-proxy when self-hosting: #​85650
• [test] Deflake prefetching.stale-times: #​85733
• [test] Deflake custom cache handler test: #​85610
• [test] Allow CLI integration test to be retryable: #​85586
• docs: update docs to mention ESLint as default: #​85740
• docs(next.config): this docs should remove ".mts" is not supported.: #​85716
• Turbopack: cleanup StyleSheetLike: #​85718
• Turbopack: disable tree shaking for tracing: #​85722
• [test] Move all files to .ts (3/6): #​85638
• [test] Move all files to .ts (2/6): #​85637
• [test] Move all files to .ts (1/6): #​85634
• docs: generateSitemap passes id as promise: #​85767
• [test] Move all files to .ts (4/6): #​85639
• docs: disclosure on path-to-regexp: #​85629
• chore: update rspack binding to 1.6.0: #​85717
• Turbopack: trace worker_threads worker entry: #​85734
• Update Rspack development test manifest: #​85761
• Turbopack: chore: Remove extern crate and macro_use syntax: #​85778
• [turbopack] Drop duration and allocation tracking from CaptureFuture: #​85534
• Turbopack: chore: Remove dead RouteMatcher stuff: #​85784
• docs: fresh up getting started 00: #​85736
• Turbopack: chore: Remove the serde_regex dependency, which wasn't very heavily used: #​85578
• Turbopack: use batch add in connect children: #​85623
• [test] Move all files to .ts (5/6): #​85640
• [test] Deflake legacy-link-behavior: #​85805
• Resolve request ID confusion: #​85809
• Turbopack: use batch add to add initial followers: #​85624
• Turbopack: chore: Remove dead experimental.ppr struct field: #​85792
• Turbopack: chore: Avoid string clones in Glob::parse by using RcStr: #​85579
• Update Rspack production test manifest: #​85795
• docs: getting started updates 01: #​85750
• chore: Update patricia_tree dependency, remove manual serde impls: #​85785
• docs: keywords in system reqs and add browserslist: #​85838
• Honour NEXT_TEST_PREFER_OFFLINE in install-native.mjs: #​85850
• Turbopack: chore: Update anyhow, remove old backtrace feature: #​85844
• Turbopack: Remove some dead (or useless) code from next-core/src/next_client_reference/visit_client_reference.rs: #​85843
• sort dependencies for smaller diffs: #​82291
• Update Rspack development test manifest: #​85846
• Turbopack: Remove non_operation_vc_strongly_consistent feature usage from next-api: #​85874
• Turbopack: remove the streaming hack for improved stability: #​85858
• test: Port clean-distdir integration test to the modern e2e test framework: #​85828
• Update font data: #​85920
• Update deploy manifest: #​85924
• Turbopack: chore: Merge turbo-tasks-macros-shared crate into turbo-tasks-macros: #​85917
• Turbopack: Fix IO concurrency for MacOS: #​85861
• Add Appwrite Sites to supported adapters: #​85830
• [turbopack] Remove LocalTaskType::Native, it is dead: #​85480
• [test] Increase response timeout in next.browserWithResponse(): #​85911
• Hoist inner 'use cache' functions to reduce function allocations: #​85904
• docs: eslint config update: #​85969
• Fix Turbopack local font font-family declaration: #​85913
• switch to slice in createRuntimePrefetchTransformStream: #​85822
• Update authentication.mdx: Fix Auth0 Link: #​85953
• Turbopack: remove unused function: #​85974
• docs: cacheHandlers: #​85311
• docs: Feedback item on proxy default: #​86004
• [test] Add missing test fixtures for cacheLife & cacheTag in client: #​85872
• Fix false-positive build error for cacheLife & cacheTag: #​85875
• [cna] For pnpm ignore postinstall from sharp and unrs-resolver: #​83168
• Turbopack: refactor evaluate to take module_graph: #​85971
• Turbopack: remove duplicate traversal implementations: #​85853
• Omit unused encryptActionBoundArgs/decryptActionBoundArgs imports: #​86015
• Turbopack: cleanup db log and add verbose option: #​85965
• [ci]: fix retry_deploy_test workflow: #​85981
• Fix typo in documentation: #​86054

Credits

Huge thanks to @​kdy1, @​eps1lon, @​SyMind, @​bgw, @​swarnava, @​devjiwonchoi, @​ztanner, @​ijjk, @​huozhi, @​icyJoseph, @​acdlite, @​unstubbable, @​gnoff, @​gusfune, @​vercel-release-bot, @​lukesandberg, @​sokra, @​hayes, @​shuding, @​wyattjoh, @​marjan-ahmed, @​timneutkens, @​ajstrongdev, @​zigang93, @​mischnic, @​Nayeem-XTREME, @​hamirmahal, @​eli0shin, @​tessamero, @​gaojude, @​jamesdaniels, @​georgesfarah, and @​timeyoutakeit for helping!

v16.0.2

Compare Source

[!NOTE]
This version includes no code or feature changes. To get the latest change, please look for the next patch release v16.0.3 or next@​latest

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Summary by cubic

Upgrade Next.js from 16.0.1 to 16.0.7 across the repo to patch upstream security issues, including the React Server Components vulnerability affecting Next 15.x/16.x. This keeps image optimization and middleware behavior secure.

• Dependencies

  • Bumped Next.js to 16.0.7 in apps/demo, apps/web, packages/preview-server, and packages/react-email; updated lockfile.
  • Includes patches for React Server Components and recent Image Optimization/Middleware advisories.

• Migration

  • If using App Router in dev, set allowedDevOrigins in next.config.js to opt in to the dev server mitigation.
  • Review custom middleware to avoid passing incoming request headers into NextResponse.next().
  • If serving images from API routes with optimization enabled, verify caching does not leak header-dependent responses.

^{Written for commit 34d2afd. Summary will update automatically on new commits.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 34d2afd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
react-email	Ready	Preview	Comment	Dec 3, 2025 8:37pm
react-email-demo	Ready	Preview	Comment	Dec 3, 2025 8:37pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​next/​env@​15.3.1
	@​radix-ui/​react-toggle@​1.1.10
	@​radix-ui/​react-slot@​1.2.3
	@​radix-ui/​react-collapsible@​1.1.12
	@​radix-ui/​react-toggle-group@​1.1.11
	@​radix-ui/​react-tabs@​1.1.13
	@​radix-ui/​react-dropdown-menu@​2.1.16
	@​radix-ui/​react-popover@​1.1.15
	@​radix-ui/​react-tooltip@​1.2.8
	@​radix-ui/​react-tabs@​1.1.2
	@​radix-ui/​react-select@​2.2.6
	@​radix-ui/​colors@​3.0.0
	@​edge-runtime/​vm@​5.0.0
	@​react-email/​tailwind@​0.0.12
	@​changesets/​cli@​2.29.7
	@​lottiefiles/​dotlottie-react@​0.13.3
	@​react-email/​tailwind@​0.0.17
	@​supabase/​supabase-js@​2.49.4

View full report

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/resend/react-email/@react-email/preview-server@2716

npm i https://pkg.pr.new/resend/react-email@2716

commit: 34d2afd

[cubic-dev-ai]

No issues found across 5 files

[kdawgwilk]

This is getting flagged by our systems as well can we get a new version deployed to address this

[zhulien-ivanov]

Please, give more attention to this issue. Currently, there is a hard dependency on next 16.0.1 and we can't get around it without doing manual overrides.

  "dependencies": {
    "next": "16.0.1"
  },

[roderickhsiao]

is it possible to backport to version when we are using Next 15? we still have some build issue to upgrade to latest version but we are blocked by the version to deploy react-email on Vercel

[ghandic]

We need another bump to 16.0.10

npx fix-react2shell-next
Need to install the following packages:
fix-react2shell-next@1.1.4
Ok to proceed? (y) y


fix-react2shell-next - Next.js vulnerability scanner

Checking for 4 known vulnerabilities:

  - CVE-2025-66478 (critical): Remote code execution via crafted RSC payload
  - CVE-2025-55184 (high): DoS via malicious HTTP request causing server to hang and consume CPU
  - CVE-2025-55183 (medium): Compiled Server Action source code can be exposed via malicious request
  - CVE-2025-67779 (high): Incomplete fix for CVE-2025-55184 DoS via malicious RSC payload causing infinite loop

Found 2 package.json file(s)

Found 1 vulnerable file(s):

  .react-email/package.json
     next: 16.0.7 -> 16.0.10 [CVE-2025-55184, CVE-2025-55183, CVE-2025-67779]