[Aikido] Fix 47 security issues in next, @ai-sdk/azure, dompurify and 6 more by aikido-autofix[bot] · Pull Request #76 · i-dot-ai/lex

aikido-autofix · 2026-06-11T23:41:00Z

Upgrade dependencies to fix critical SSRF via WebSocket proxying, authorization bypass via route parameter manipulation, and DoS via malicious Server Function deserialization.

✅ 47 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-44578	HIGH	[next] Self-hosted applications are vulnerable to server-side request forgery (SSRF) through crafted WebSocket upgrade requests, allowing attackers to proxy requests to arbitrary destinations and potentially expose internal services or cloud metadata. Vercel-hosted deployments are unaffected.
AIKIDO-2026-10758	HIGH	[next] A WebSocket upgrade proxying vulnerability allows attackers to craft requests that trigger outbound connections to arbitrary destinations, enabling server-side request forgery and potential exposure of internal services. This affects self-hosted deployments and can be exploited to reach internal or external targets.
AIKIDO-2026-10759	HIGH	[next] A route parameter encoding mismatch allows attackers to bypass authorization checks by supplying specially crafted parameters that alter the effective route seen by middleware while rendering a different target page.
CVE-2026-44574	HIGH	[next] A vulnerability allows attackers to bypass middleware protection on dynamic routes using specially crafted query parameters, causing protected content to render without authorization checks. This results in an authorization bypass that could expose sensitive information or functionality.
GHSA-q4gf-8mx6-v5v3	HIGH	[next] A specially crafted HTTP request to App Router Server Function endpoints can trigger excessive CPU usage during deserialization, causing denial of service (DoS).
AIKIDO-2026-10762	HIGH	[next] A deserialization vulnerability in server function endpoints allows attackers to consume excessive CPU through crafted input, causing denial of service by exhausting request handling capacity and degrading application availability.
AIKIDO-2026-10761	HIGH	[next] A vulnerability allows crafted request paths to bypass middleware and proxy authorization checks by exploiting transport-specific segment-prefetch route variants, enabling unauthorized access to protected content through alternate access paths.
AIKIDO-2026-10757	HIGH	[next] A vulnerability in Pages Router with i18n allows attackers to bypass middleware authorization checks by accessing locale-less data routes, enabling unauthorized access to protected page data through alternate paths.
CVE-2026-44573	HIGH	[next] A vulnerability allows unauthorized access to protected page data in applications using Pages Router with i18n configuration, as middleware authorization checks are bypassed for locale-less data route requests. An attacker can retrieve sensitive SSR JSON data without passing authorization checks, resulting in information disclosure.
CVE-2026-44575	HIGH	[next] Authorization bypass in App Router allows unauthorized access to protected content through transport-specific route variants (.rsc and segment-prefetch URLs) that bypass middleware checks. Attackers can reach protected pages without proper authorization verification.
CVE-2026-44579	HIGH	[next] Applications using Partial Prerendering with Cache Components are vulnerable to connection exhaustion via crafted POST requests to server actions, causing request-body handling deadlocks that consume server resources and lead to denial of service. Malicious actors can exhaust file descriptors and server capacity, preventing legitimate users from accessing the application.
CVE-2026-45109	HIGH	[next] .js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
GHSA-8h8q-6873-q5fj	HIGH	[next] A specially crafted HTTP request to App Router Server Function endpoints can trigger excessive CPU usage during deserialization, causing denial of service (DoS).
AIKIDO-2026-10755	MEDIUM	[next] Inline `beforeInteractive` script serialization insufficiently escapes untrusted input, allowing attackers to break script boundaries and execute arbitrary JavaScript in the browser when untrusted data is passed to script props.
CVE-2026-44580	MEDIUM	[next] A cross-site scripting (XSS) vulnerability exists in applications using beforeInteractive scripts with untrusted content, where serialized script content is not properly escaped, allowing attackers to execute arbitrary JavaScript in visitors' browsers.
AIKIDO-2026-10754	MEDIUM	[next] The Image Optimization API fails to enforce consistent maximum-size limits when loading local images into memory, allowing attackers to exhaust process memory through large local assets and cause denial of service in self-hosted configurations.
CVE-2026-44577	MEDIUM	[next] A memory exhaustion vulnerability in the Image Optimization API allows attackers to trigger out-of-memory conditions by requesting large local assets through the /_next/image endpoint without size limits. This can cause denial of service by consuming excessive server memory.
CVE-2026-44572	MEDIUM	[next] A vulnerability allows attackers to send a crafted x-nextjs-data header on requests to middleware-handled paths, causing the redirect response to use an internal header instead of the standard Location header, which browsers cannot follow. If deployed behind a caching CDN or reverse proxy, this can poison the cache and cause denial of service for affected redirect paths.
AIKIDO-2026-10753	MEDIUM	[next] A cache poisoning vulnerability allows attackers to cause incorrect React Server Component payloads to be cached and served to users under shared-cache conditions, potentially returning malformed responses and compromising application functionality.
CVE-2026-44576	MEDIUM	[next] Applications using React Server Components are vulnerable to cache poisoning due to improper response variant partitioning in shared caches, allowing attackers to serve component payloads instead of HTML and poison cache entries for subsequent visitors. This enables unauthorized content injection and potential remote code execution through malicious component payloads.
AIKIDO-2026-10756	MEDIUM	[next] A vulnerability in App Router allows malformed CSP nonce values from request headers to be reflected into HTML, potentially poisoning cached content and enabling script execution for other users in shared-cache deployments.
CVE-2026-44581	MEDIUM	[next] App Router applications using CSP nonces are vulnerable to stored cross-site scripting when deployed behind shared caches, as malformed nonce values from request headers can be unsafely reflected into HTML, allowing attackers to poison cached responses and execute scripts for subsequent visitors.
AIKIDO-2026-10760	LOW	[next] A cache component vulnerability allows attackers to force request flows into a body-handling deadlock, keeping connections open excessively long. Repeated crafted requests can exhaust file descriptors and worker capacity, causing denial of service through connection exhaustion.
AIKIDO-2026-10752	LOW	[next] RSC cache-busting values can collide in shared cache deployments, allowing attackers to poison cache variants and serve incorrect component responses to users. This vulnerability stems from insufficient collision resistance in response variant separation.
AIKIDO-2026-10751	LOW	[next] A vulnerability in middleware redirect handling allows attackers to manipulate redirect responses and poison caches by spoofing internal-data headers, causing subsequent users to receive broken cached redirects until expiry.
CVE-2026-44582	LOW	[next] React Server Component responses are vulnerable to cache poisoning due to insufficient response partitioning, allowing attackers to manipulate cache entries and serve incorrect content to users. This can lead to information disclosure or content manipulation through collisions in cache-busting values.
AIKIDO-2026-10981	HIGH	[@ai-sdk/provider-utils] A URL validation bypass in the `downloadBlob` helper allows fetching arbitrary URLs without protocol or IP range restrictions, enabling Server-Side Request Forgery (SSRF) attacks. The vulnerability permits access to internal networks, loopback addresses, and private IP ranges.
CVE-2026-41238	MEDIUM	[dompurify] A prototype pollution vulnerability allows attackers to inject malicious regex patterns into Object.prototype, bypassing DOMPurify's sanitization to inject arbitrary custom elements with event handlers, enabling XSS attacks. This affects applications using default configuration without custom element handling.
CVE-2026-41239	MEDIUM	[dompurify] A template expression sanitization bypass allows XSS attacks when using `RETURN_DOM` or `RETURN_DOM_FRAGMENT` modes with `SAFE_FOR_TEMPLATES`, as `{{...}}` expressions are not properly stripped in these modes, enabling injection through template-evaluating frameworks.
CVE-2026-41240	MEDIUM	[dompurify] Inconsistency in FORBID_TAGS handling when using function-based ADD_TAGS allows forbidden elements to bypass sanitization and survive with their attributes intact. This enables XSS attacks through improperly filtered HTML elements.
AIKIDO-2026-10563	MEDIUM	[dompurify] A type validation bypass in configuration and input handling could allow crafted inputs or malformed configs to bypass sanitization, potentially leaving executable scripts in output that execute as cross-site scripting attacks.
AIKIDO-2026-10709	MEDIUM	[dompurify] A function predicate for `ADD_ATTR` bypasses URI scheme validation for URL-bearing attributes, allowing disallowed schemes to pass sanitization and enable DOM-based XSS attacks.
AIKIDO-2026-10955	MEDIUM	[dompurify] A hook vulnerability allows attackers to permanently modify internal allow-lists by widening them during sanitization, enabling forbidden tags and attributes like `script` or event handlers to persist in subsequently sanitized content. The fix clones default allow-lists before hook processing to prevent this poisoning.
AIKIDO-2026-10954	MEDIUM	[dompurify] DOMPurify with `IN_PLACE: true` fails to sanitize malicious markup within shadow roots nested inside template elements, allowing attackers to inject `onerror` handlers and `javascript:` links that execute when the template is cloned or inserted, enabling cross-site scripting attacks.
GHSA-39q2-94rc-95cp	MEDIUM	[dompurify] A logic flaw in tag filtering allows `ADD_TAGS` functions to bypass `FORBID_TAGS` restrictions due to short-circuit evaluation, enabling forbidden tags to pass through when both features are used together. This creates a security bypass where blacklisted tags can be unexpectedly allowed.
AIKIDO-2026-11156	LOW	[dompurify] A vulnerability allows attackers to inject template expressions (template-literal, mustache, or ERB fragments) into template elements when using specific configuration options, which can be executed as script during downstream template evaluation. The fix ensures expression scrubbing recursively processes template content, similar to shadow-DOM traversal.
AIKIDO-2026-10707	MEDIUM	[zod] A prototype pollution vulnerability exists where object schemas with catchall merges treat the literal `__proto__` key as a normal property, allowing attackers to modify the prototype chain of validated objects and inject arbitrary inherited properties.
AIKIDO-2026-10706	MEDIUM	[zod] Base64 validator incorrectly accepts strings with whitespace, allowing invalid Base64 inputs to pass validation by being normalized during decoding, weakening strict validation guarantees.
AIKIDO-2026-10999	MEDIUM	[ai] The `download` helper accepts arbitrary URLs without validation, allowing attackers to access internal resources, perform SSRF attacks, or retrieve sensitive data from private networks. The vulnerability is fixed by validating URLs to reject non-HTTP(S) schemes, loopback addresses, and private IP ranges before and after redirects.
AIKIDO-2026-11000	MEDIUM	[ai] A vulnerability allows attackers to inject system messages into user-supplied message arrays, potentially overriding developer-defined system instructions in text generation functions. This enables prompt injection attacks when end-user input is forwarded directly without sanitization.
AIKIDO-2026-10939	MEDIUM	[undici] HTTP response validation weakness allows peers to close chunked responses prematurely, causing truncated data to be treated as complete. Additionally, deduplication header collisions can cause concurrent requests to share incorrect responses, potentially leading to information disclosure or integrity bypass.
AIKIDO-2026-11068	MEDIUM	[@ungap/structured-clone] The `deserialize` function unsafely instantiates constructors from attacker-controlled input, allowing remote code execution through dangerous constructors like `Function` or `Worker`. The vulnerability stems from missing validation of constructor names before instantiation.
CVE-2025-13465	MEDIUM	[lodash-es] A prototype pollution vulnerability in _.unset and _.omit functions allows attackers to delete methods from global prototypes via crafted paths. While this prevents property overwriting, it can cause denial of service by removing critical functionality.
CVE-2026-41148	MEDIUM	[mermaid] A CSS injection vulnerability in diagram parsing allows attackers to inject arbitrary CSS rules through unsanitized classDef values, enabling page defacement, user tracking, and data exfiltration. The vulnerability stems from improper regex sanitization that permits closing braces to terminate CSS selectors and inject malicious rules into the page.
CVE-2026-41149	MEDIUM	[mermaid] HTML injection vulnerability in classDef directive allows DOM injection that escapes SVG context, enabling attackers to inject malicious HTML elements (though script tags are stripped, preventing XSS). This could lead to defacement, phishing, or other HTML-based attacks.
CVE-2026-41150	MEDIUM	[mermaid] A denial-of-service vulnerability exists when rendering gantt charts with the excludes attribute set to exclude all dates, causing the application to hang or crash during diagram rendering.
CVE-2026-41159	MEDIUM	[mermaid] CSS injection vulnerability allows attackers to inject malicious styles via configuration options that escape automatic scoping, enabling page defacement and data exfiltration through CSS selectors.

fix(security): update dependencies

25db148

aikido-autofix Bot mentioned this pull request Jun 11, 2026

[Aikido] Fix 46 security issues in next, @ai-sdk/azure, dompurify and 6 more #73

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Aikido] Fix 47 security issues in next, @ai-sdk/azure, dompurify and 6 more#76

[Aikido] Fix 47 security issues in next, @ai-sdk/azure, dompurify and 6 more#76
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-48225255-xsrv

aikido-autofix Bot commented Jun 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

aikido-autofix Bot commented Jun 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants