"The Next.js team shipped a coordinated security release fixing 13 vulnerabilities across denial of service, middleware/proxy bypass, server-side request forgery, cache poisoning, XSS. Many vulnerabilities are quite impactful, cannot be blocked by cloud firewalls, and it's recommended to update immediately to a patched version, v15.5.18 or v16.2.6. There's also a Server Functions denial of service affecting React RSC packages, fixed in v19.2.6."
"On May 11, an attacker published malicious versions across 42 @tanstack/* npm packages related to TanStack Router. Although the attack was detected quickly, its payload is a Mini Shai-Hulud worm that infected other maintainers, leading to other compromised packages across npm and pypi ecosystems, including packages from Mistral AI, OpenSearch, UiPath, and more."
A coordinated security release for Next.js fixes 13 vulnerabilities spanning denial of service, middleware or proxy bypass, server-side request forgery, cache poisoning, and XSS. Some issues are impactful and cannot be blocked by cloud firewalls, so updating right away is recommended to patched versions v15.5.18 or v16.2.6. A separate Server Functions denial of service affects React RSC packages and is fixed in v19.2.6. Separately, malicious npm versions were published across 42 @tanstack/* packages related to TanStack Router. The compromise was detected quickly, but the payload acted like a worm, infecting other maintainers and spreading to additional compromised packages across npm and pypi ecosystems.
Read at Thisweekinreact
Unable to calculate read time
Collection
[
|
...
]