npm package
next
pkg:npm/next
Vulnerabilities (47)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-39178 | — | >= 10.0.0, < 11.1.1 | 11.1.1 | Aug 30, 2021 | Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned | ||
| CVE-2021-37699 | — | >= 0.9.9, < 11.1.0 | 11.1.0 | Aug 11, 2021 | Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect do | ||
| CVE-2020-15242 | — | >= 9.5.0, < 9.5.4 | 9.5.4 | Oct 8, 2020 | Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phi | ||
| CVE-2020-5284 | — | >= 0.9.9, < 9.3.2 | 9.3.2 | Mar 30, 2020 | Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets u | ||
| CVE-2018-18282 | — | >= 7.0.0, < 7.0.2 | 7.0.2 | Oct 12, 2018 | Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. | ||
| CVE-2018-6184 | — | >= 1.0.0, < 4.2.3 | 4.2.3 | Jan 24, 2018 | ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace. | ||
| CVE-2017-16877 | Hig | 7.5 | >= 1.0.0, < 2.4.1 | 2.4.1 | Nov 17, 2017 | ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. |
- CVE-2021-39178Aug 30, 2021affected >= 10.0.0, < 11.1.1fixed 11.1.1
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned
- CVE-2021-37699Aug 11, 2021affected >= 0.9.9, < 11.1.0fixed 11.1.0
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect do
- CVE-2020-15242Oct 8, 2020affected >= 9.5.0, < 9.5.4fixed 9.5.4
Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phi
- CVE-2020-5284Mar 30, 2020affected >= 0.9.9, < 9.3.2fixed 9.3.2
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets u
- CVE-2018-18282Oct 12, 2018affected >= 7.0.0, < 7.0.2fixed 7.0.2
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.
- CVE-2018-6184Jan 24, 2018affected >= 1.0.0, < 4.2.3fixed 4.2.3
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace.
- affected >= 1.0.0, < 2.4.1fixed 2.4.1
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.
Page 3 of 3