# Next.js v16.2.4 → v16.2.5 Commit Analysis

## Statistics
- **Total commits between tags**: 30
- **Security-related commits**: 12
- **Files changed**: 207 (5,797 insertions, 1,228 deletions)
- **Source files (non-test, non-compiled)**: 54

## Security-Related Commits

| SHA | Subject | Likely Vulnerability Class |
|-----|---------|----------------------------|
| `0dd94836a8` | fix: add explicit checks for RSC header (#83) (#98) | RSC header spoofing / cache poisoning |
| `d166096c39` | fix proxy matching for segment prefetch URLs (#89) (#96) | Auth bypass / SSRF / proxy bypass |
| `9d50c0b719` | Strip next-resume header from incoming requests (#92) | Header injection / response smuggling |
| `ed41d1d454` | Move htmlescape to shared/lib (#91) | XSS hardening (refactor for fix) |
| `b4c6705c70` | Ignore malformed CSP nonce headers | CSP bypass / XSS |
| `5b194ee2d4` | router-server: guard upgrade proxy against absolute-url SSRF (#77) | **SSRF** (websocket upgrade) |
| `66f6017f15` | Escape properties for beforeInteractive scripts (#86) | **XSS** in `<Script strategy="beforeInteractive">` |
| `f1c11203d5` | [backport] Fix double-encoding of URL pathname parts in client param parsing (#93506) | Path traversal / param injection |
| `af0e96ba23` | Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541) | Cache poisoning / response confusion |
| `6fd09bf8ab` | Patch setHeader for direct route handlers (#93101) | Response header pollution |
| `688ed31e21` | Strengthen _rsc cache-busting param (#92755) | **CDN cache poisoning** |
| `15341fdf49` | Ensure x-nextjs-data header is only set during resolve (#92752) | Cache poisoning / data leak |

## Possibly-Relevant Non-Tagged Commits
- `89e995431a` [16.x] Type hardening and performance improvements (#80) — bundles multiple fixes
- `cb171d7494` Fix i18n middleware matching for default-locale data routes (#82) — middleware matching
- `df7ab5ad72` fix: skip internal param normalization in unsupported environments

## File Locations
- Commit list: `/workspace/tasks/d250e203-4313-4be3-b108-837c2f8ea693/commits-oneline.txt`
- Full commits: `/workspace/tasks/d250e203-4313-4be3-b108-837c2f8ea693/commits-full.txt`
- Stat output: `/workspace/tasks/d250e203-4313-4be3-b108-837c2f8ea693/commits-stat.txt`
- Security commits: `/workspace/tasks/d250e203-4313-4be3-b108-837c2f8ea693/security-commits.txt`
- Changed source files: `/workspace/tasks/d250e203-4313-4be3-b108-837c2f8ea693/changed-source-files.txt`
- Per-commit diffs: `/workspace/tasks/d250e203-4313-4be3-b108-837c2f8ea693/diffs/<SHA>.diff`
- Cloned repo: `/workspace/tasks/d250e203-4313-4be3-b108-837c2f8ea693/nextjs-analysis/nextjs/`

## Top Changed Source Files (security-relevant)
- `packages/next/src/server/lib/router-server.ts` — SSRF fix
- `packages/next/src/server/lib/router-utils/resolve-routes.ts` — proxy matching
- `packages/next/src/server/lib/patch-set-header.ts` — setHeader patching
- `packages/next/src/server/lib/is-rsc-request.ts` — RSC header validation
- `packages/next/src/client/script.tsx` + `packages/next/src/pages/_document.tsx` — beforeInteractive XSS
- `packages/next/src/shared/lib/htmlescape.ts` — html escaping
- `packages/next/src/server/app-render/get-script-nonce-from-header.tsx` — CSP nonce hardening
- `packages/next/src/shared/lib/router/utils/cache-busting-search-param.ts` — `_rsc` cache-busting
- `packages/next/src/client/route-params.ts` — URL pathname double-encoding
- `packages/next/src/export/routes/app-route.ts` — route-level RSC HTML response fix