npm package
next
pkg:npm/next
Vulnerabilities (47)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-55173 | — | >= 0.9.9, < 14.2.31 | 14.2.31 | Aug 29, 2025 | Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file download | ||
| CVE-2025-57822 | — | >= 0.9.9, < 14.2.32 | 14.2.32 | Aug 29, 2025 | Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. Thi | ||
| CVE-2025-49826 | — | >= 15.0.4-canary.51, < 15.1.8 | 15.1.8 | Jul 3, 2025 | Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain | ||
| CVE-2025-49005 | — | >= 15.3.0, < 15.3.3 | 15.3.3 | Jul 3, 2025 | Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Com | ||
| CVE-2025-48068 | — | >= 15.0.0, < 15.2.2 | 15.2.2 | May 30, 2025 | Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerabilit | ||
| CVE-2025-32421 | — | >= 0.9.9, < 14.2.24 | 14.2.24 | May 14, 2025 | Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of | ||
| CVE-2025-30218 | — | >= 12.3.5, < 12.3.6 | 12.3.6 | Apr 2, 2025 | Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is n | ||
| CVE-2025-29927 | — | >= 13.0.0, < 13.5.9 | 13.5.9 | Mar 21, 2025 | Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware | ||
| CVE-2024-56332 | — | >= 13.0.0, < 13.5.8 | 13.5.8 | Jan 3, 2025 | Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Serve | ||
| CVE-2024-51479 | — | >= 9.5.5, < 14.2.15 | 14.2.15 | Dec 17, 2024 | Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root | ||
| CVE-2024-47831 | — | >= 10.0.0, < 14.2.7 | 14.2.7 | Oct 14, 2024 | Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU con | ||
| CVE-2024-46982 | — | >= 13.5.1, < 13.5.7 | 13.5.7 | Sep 17, 2024 | Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it | ||
| CVE-2024-39693 | — | >= 13.3.1, < 13.5.0 | 13.5.0 | Jul 10, 2024 | Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later. | ||
| CVE-2024-34351 | — | >= 13.4.0, < 14.1.1 | 14.1.1 | May 9, 2024 | Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able | ||
| CVE-2024-34350 | — | >= 13.4.0, < 13.5.1 | 13.5.1 | May 9, 2024 | Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchro | ||
| CVE-2023-46298 | — | >= 0.9.9, < 13.4.20-canary.13 | 13.4.20-canary.13 | Oct 22, 2023 | Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. | ||
| CVE-2022-36046 | — | >= 12.2.3, < 12.2.4 | 12.2.4 | Aug 31, 2022 | Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start o | ||
| CVE-2022-23646 | — | >= 10.0.0, < 12.1.0 | 12.1.0 | Feb 17, 2022 | Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the | ||
| CVE-2022-21721 | — | >= 12.0.0, < 12.0.9 | 12.0.9 | Jan 28, 2022 | Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom serv | ||
| CVE-2021-43803 | — | >= 12.0.0, < 12.0.5 | 12.0.5 | Dec 9, 2021 | Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next st |
- CVE-2025-55173Aug 29, 2025affected >= 0.9.9, < 14.2.31fixed 14.2.31
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file download
- CVE-2025-57822Aug 29, 2025affected >= 0.9.9, < 14.2.32fixed 14.2.32
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. Thi
- CVE-2025-49826Jul 3, 2025affected >= 15.0.4-canary.51, < 15.1.8fixed 15.1.8
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain
- CVE-2025-49005Jul 3, 2025affected >= 15.3.0, < 15.3.3fixed 15.3.3
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Com
- CVE-2025-48068May 30, 2025affected >= 15.0.0, < 15.2.2fixed 15.2.2
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerabilit
- CVE-2025-32421May 14, 2025affected >= 0.9.9, < 14.2.24fixed 14.2.24
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of
- CVE-2025-30218Apr 2, 2025affected >= 12.3.5, < 12.3.6fixed 12.3.6
Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is n
- CVE-2025-29927Mar 21, 2025affected >= 13.0.0, < 13.5.9fixed 13.5.9
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware
- CVE-2024-56332Jan 3, 2025affected >= 13.0.0, < 13.5.8fixed 13.5.8
Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Serve
- CVE-2024-51479Dec 17, 2024affected >= 9.5.5, < 14.2.15fixed 14.2.15
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root
- CVE-2024-47831Oct 14, 2024affected >= 10.0.0, < 14.2.7fixed 14.2.7
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU con
- CVE-2024-46982Sep 17, 2024affected >= 13.5.1, < 13.5.7fixed 13.5.7
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it
- CVE-2024-39693Jul 10, 2024affected >= 13.3.1, < 13.5.0fixed 13.5.0
Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later.
- CVE-2024-34351May 9, 2024affected >= 13.4.0, < 14.1.1fixed 14.1.1
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able
- CVE-2024-34350May 9, 2024affected >= 13.4.0, < 13.5.1fixed 13.5.1
Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchro
- CVE-2023-46298Oct 22, 2023affected >= 0.9.9, < 13.4.20-canary.13fixed 13.4.20-canary.13
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.
- CVE-2022-36046Aug 31, 2022affected >= 12.2.3, < 12.2.4fixed 12.2.4
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start o
- CVE-2022-23646Feb 17, 2022affected >= 10.0.0, < 12.1.0fixed 12.1.0
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the
- CVE-2022-21721Jan 28, 2022affected >= 12.0.0, < 12.0.9fixed 12.0.9
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom serv
- CVE-2021-43803Dec 9, 2021affected >= 12.0.0, < 12.0.5fixed 12.0.5
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next st
Page 2 of 3