npm package
next
pkg:npm/next
Vulnerabilities (47)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-45109 | Hig | 7.5 | >= 15.2.0, < 15.5.18 | 15.5.18 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6. | |
| CVE-2026-44582 | Low | 3.7 | >= 13.4.6, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected co | |
| CVE-2026-44581 | Med | 4.7 | >= 13.4.0, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed no | |
| CVE-2026-44580 | Med | 6.1 | >= 13.0.0, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script cont | |
| CVE-2026-44579 | Hig | 7.5 | >= 15.0.0, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In | |
| CVE-2026-44578 | Hig | 8.6 | >= 13.4.13, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker ca | |
| CVE-2026-44577 | Med | 5.9 | >= 10.0.0, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. A | |
| CVE-2026-44576 | Med | 5.4 | >= 14.2.0, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditi | |
| CVE-2026-44575 | Hig | 7.5 | >= 15.2.0, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used fo | |
| CVE-2026-44574 | Hig | 8.1 | >= 15.4.0, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters c | |
| CVE-2026-44573 | Hig | 7.5 | >= 12.2.0, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-l | |
| CVE-2026-44572 | Low | 3.7 | >= 12.2.0, < 15.5.16 | 15.5.16 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/pr | |
| CVE-2026-29057 | — | >= 16.0.0-beta.0, < 16.1.7 | 16.1.7 | Mar 18, 2026 | Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could tri | ||
| CVE-2026-27980 | — | >= 16.0.0-beta.0, < 16.1.7 | 16.1.7 | Mar 18, 2026 | Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker | ||
| CVE-2026-27979 | — | >= 16.0.1, < 16.1.7 | 16.1.7 | Mar 18, 2026 | Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `ma | ||
| CVE-2026-27978 | — | >= 16.0.1, < 16.1.7 | 16.1.7 | Mar 17, 2026 | Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed ifra | ||
| CVE-2026-27977 | — | >= 16.0.1, < 16.1.7 | 16.1.7 | Mar 17, 2026 | Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configur | ||
| CVE-2025-59472 | — | >= 16.0.0-beta.0, < 16.1.5 | 16.1.5 | Jan 26, 2026 | A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data | ||
| CVE-2025-59471 | — | >= 10.0.0, < 15.5.10 | 15.5.10 | Jan 26, 2026 | A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing | ||
| CVE-2025-57752 | — | >= 0.9.9, < 14.2.31 | 14.2.31 | Aug 29, 2025 | Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such |
- affected >= 15.2.0, < 15.5.18fixed 15.5.18
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
- affected >= 13.4.6, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected co
- affected >= 13.4.0, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed no
- affected >= 13.0.0, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script cont
- affected >= 15.0.0, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In
- affected >= 13.4.13, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker ca
- affected >= 10.0.0, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. A
- affected >= 14.2.0, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditi
- affected >= 15.2.0, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used fo
- affected >= 15.4.0, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters c
- affected >= 12.2.0, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-l
- affected >= 12.2.0, < 15.5.16fixed 15.5.16
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/pr
- CVE-2026-29057Mar 18, 2026affected >= 16.0.0-beta.0, < 16.1.7fixed 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could tri
- CVE-2026-27980Mar 18, 2026affected >= 16.0.0-beta.0, < 16.1.7fixed 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker
- CVE-2026-27979Mar 18, 2026affected >= 16.0.1, < 16.1.7fixed 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `ma
- CVE-2026-27978Mar 17, 2026affected >= 16.0.1, < 16.1.7fixed 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed ifra
- CVE-2026-27977Mar 17, 2026affected >= 16.0.1, < 16.1.7fixed 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configur
- CVE-2025-59472Jan 26, 2026affected >= 16.0.0-beta.0, < 16.1.5fixed 16.1.5
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data
- CVE-2025-59471Jan 26, 2026affected >= 10.0.0, < 15.5.10fixed 15.5.10
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing
- CVE-2025-57752Aug 29, 2025affected >= 0.9.9, < 14.2.31fixed 14.2.31
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such
Page 1 of 3