Next.js Security Changelog

Security-only timeline for Next.js. This page excludes general release notes and lists only published vulnerability fixes with security impact, affected components, fixed versions, CVEs, and upstream advisory links where available.

Fixes 52 High/Critical 22

Check an installed version

Enter a Next.js version to show only security fixes whose affected-version range includes that version.

Version

Showing all 52 security fixes.

Date	Security fix	Severity	Affected versions	Fixed in	Advisory
2026-05-11	Next.js has a Denial of Service in the Image Optimization API Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the `/_next/image` endpoint that match the `images.localPatterns` configuration (by default, all patterns are allowed). If you are using `images.localPatterns`, only the patterns in that array are impacted. If you are using `images.unoptimized: true… Component: next	Medium	>= 10.0.0, < 15.5.16; >= 16.0.0, < 16.2.5	15.5.16, 16.2.5	CVE-2026-44577
2026-05-11	Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes Impact App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted `.rsc` and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. Fix We now include App Router transport variants when gene… Component: next	High	>= 15.2.0, < 15.5.16; >= 16.0.0, < 16.2.5	15.5.16, 16.2.5	CVE-2026-44575
2026-05-11	Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up Impact It was found that the fix addressing CVE-2026-44575 did not apply to `middleware.ts` with Turbopack. Refer to CVE-2026-44575 for further details. References CVE CVE-2026-44575 Component: next	High	>= 15.2.0, < 15.5.18; >= 16.0.0, < 16.2.6	15.5.18, 16.2.6	CVE-2026-45109
2026-05-11	Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n Impact Applications using the Pages Router with `i18n` configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less `/_next/data/<buildId>/<page>.json` requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. Fix The matcher logic was updated to perform the same match as it would on a non-i18n d… Component: next	High	>= 12.2.0, < 15.5.16; >= 16.0.0, < 16.2.5	15.5.16, 16.2.5	CVE-2026-44573
2026-05-11	Next.js has cross-site scripting in beforeInteractive scripts with untrusted input Impact Applications that use `beforeInteractive` scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor’s browser. Fix We now HTML-escape serialized `beforeInteractive` script content before embedding it into the page, preventing atta… Component: next	Medium	>= 13.0.0, < 15.5.16; >= 16.0.0, < 16.2.5	15.5.16, 16.2.5	CVE-2026-44580
2026-05-11	Next.js vulnerable to cache poisoning in React Server Component responses Impact Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. Fix We now validate and interpret `RSC` request headers consistently across request classification and rendering, and we enforce the intended cache-b… Component: next	Medium	>= 14.2.0, < 15.5.16; >= 16.0.0, < 16.2.5	15.5.16, 16.2.5	CVE-2026-44576
2026-05-11	Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the `_rsc` cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. Fix We strengthened the `_rsc` cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cach… Component: next	Low	>= 13.4.6, < 15.5.16; >= 16.0.0, < 16.2.5	15.5.16, 16.2.5	CVE-2026-44582
2026-05-11	Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components Impact Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. Fix We now treat the header used for resuming Partial Prerendered requests as an internal-only… Component: next	High	>= 15.0.0, < 15.5.16; >= 16.0.0, < 16.2.5	15.5.16, 16.2.5	CVE-2026-44579
2026-05-11	Next.js Vulnerable to Denial of Service with Server Components A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23870. A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatche… Component: next	High	>= 13.0.0, < 15.5.16; >= 16.0.0, < 16.2.5	15.5.16, 16.2.5	Advisory
2026-05-11	Next.js’s Middleware / Proxy redirects can be cache-poisoned Impact Next.js uses the `x-nextjs-data` request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard `Location` redirect header with the internal `x-nextjs-redirect` header. Browsers do not follow `x-nextjs-redirect`, so the response became an unusable redirect for normal clients.… Component: next	Low	>= 12.2.0, < 15.5.16; >= 16.0.0, < 16.2.5	15.5.16, 16.2.5	CVE-2026-44572
2026-04-10	Next.js has a Denial of Service with Server Components A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23869. You can read more about this advisory our this changelog. A specially crafted HTTP request can be sent to any App Router Server Function… Component: next	High	>= 13.0.0, < 15.5.15; >= 16.0.0-beta.0, < 16.2.3	15.5.15, 16.2.3	Advisory
2026-03-17	Next.js: HTTP request smuggling in rewrites Summary When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applicati… Component: next	Medium	>= 16.0.0-beta.0, < 16.1.7; >= 9.5.0, < 15.5.13	15.5.13, 16.1.7	CVE-2026-29057
2026-03-17	Next.js: null origin can bypass dev HMR websocket CSRF checks Summary In `next dev`, cross-site protections for internal development endpoints could treat `Origin: null` as a bypass case even when `allowedDevOrigins` is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly. Impact If a developer visits attacker-controlled content while running an affected `next dev` se… Component: next	Low	>= 16.0.1, < 16.1.7	16.1.7	CVE-2026-27977
2026-03-17	Next.js: null origin can bypass Server Actions CSRF checks Summary `origin: null` was treated as a “missing” origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. Impact An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). Patches Fixed by treating `'null'` as an explicit origin value and enforcing ho… Component: next	Medium	>= 16.0.1, < 16.1.7	16.1.7	CVE-2026-27978
2026-03-17	Next.js: Unbounded next/image disk cache growth can exhaust storage Summary The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. Impact An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel. Patches Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-us… Component: next	Medium	>= 16.0.0-beta.0, < 16.1.7; >= 10.0.0, < 15.5.14	15.5.14, 16.1.7	CVE-2026-27980
2026-03-17	Next.js: Unbounded postponed resume buffering can lead to DoS Summary A request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. Impact In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheCompon… Component: next	Medium	>= 16.0.1, < 16.1.7	16.1.7	CVE-2026-27979
2026-01-28	Next.js has Unbounded Memory Consumption via PPR Resume Endpoint A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: Unbounded request body buffering: The server buffers the entire POST request body into memory using `Buffer.concat()` wi… Component: next	Medium	>= 16.0.0-beta.0, < 16.1.5; >= 15.6.0-canary.0, < 15.6.0-canary.61; >= 15.0.0-canary.0, <= 15.0.0-canary.205; >= 15.0.1-canary.0, <= 15.0.1-canary.3; >= 15.0.2-canary.0, <= 15.0.2-canary.11; >= 15.0.3-canary.0, <= 15.0.3-canary.9; >= 15.0.4-canary.0, <= 15.0.4-canary.52; >= 15.1.1-canary.0, <= 15.1.1-canary.27; >= 15.2.0-canary.0, <= 15.2.0-canary.77; >= 15.2.1-canary.0, <= 15.2.1-canary.6; >= 15.2.2-canary.0, <= 15.2.2-canary.7; >= 15.3.0-canary.0, <= 15.3.0-canary.46; >= 15.3.1-canary.0, <= 15.3.1-canary.15; >= 15.4.0-canary.0, <= 15.4.0-canary.130; >= 15.4.2-canary.0, <= 15.4.2-canary.56; >= 15.5.1-canary.0, <= 15.5.1-canary.39	15.6.0-canary.61, 16.1.5	CVE-2025-59472
2026-01-28	Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864. A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, o… Component: next	High	>= 13.0.0, < 15.0.8; >= 15.1.1-canary.0, < 15.1.12; >= 15.2.0-canary.0, < 15.2.9; >= 15.3.0-canary.0, < 15.3.9; >= 15.4.0-canary.0, < 15.4.11; >= 15.5.1-canary.0, < 15.5.10; >= 15.6.0-canary.0, < 15.6.0-canary.61; >= 16.0.0-beta.0, < 16.0.11; >= 16.1.0-canary.0, < 16.1.5	15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5	Advisory
2026-01-27	Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or c… Component: next	Medium	>= 10.0.0, < 15.5.10; >= 15.6.0-canary.0, < 16.1.5	15.5.10, 16.1.5	CVE-2025-59471
2025-12-12	Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption. This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Rout… Component: next	High	>= 13.3.1-canary.0, < 14.2.35; >= 15.0.6, < 15.0.7; >= 15.1.10, < 15.1.11; >= 15.2.7, < 15.2.8; >= 15.3.7, < 15.3.8; >= 15.4.9, < 15.4.10; >= 15.5.8, < 15.5.9; >= 15.6.0-canary.59, < 15.6.0-canary.60; >= 16.0.9, < 16.0.10; >= 16.1.0-canary.17, < 16.1.0-canary.19	14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, 15.6.0-canary.60, 16.0.10, 16.1.0-canary.19	Advisory
2025-12-11	Next Server Actions Source Code Exposure A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183. A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This cou… Component: next	Medium	>= 15.0.0-canary.0, < 15.0.6; >= 15.1.1-canary.0, < 15.1.10; >= 15.2.0-canary.0, < 15.2.7; >= 15.3.0-canary.0, < 15.3.7; >= 15.4.0-canary.0, < 15.4.9; >= 15.5.1-canary.0, < 15.5.8; >= 15.6.0-canary.0, < 15.6.0-canary.59; >= 16.0.0-beta.0, < 16.0.9; >= 16.1.0-canary.0, < 16.1.0-canary.17	15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 15.6.0-canary.59, 16.0.9, 16.1.0-canary.17	Advisory
2025-12-11	Next Vulnerable to Denial of Service with Server Components A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184. A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unp… Component: next	High	>= 13.3.0, < 14.2.34; >= 15.0.0-canary.0, < 15.0.6; >= 15.1.1-canary.0, < 15.1.10; >= 15.2.0-canary.0, < 15.2.7; >= 15.3.0-canary.0, < 15.3.7; >= 15.4.0-canary.0, < 15.4.9; >= 15.5.1-canary.0, < 15.5.8; >= 15.6.0-canary.0, < 15.6.0-canary.59; >= 16.0.0-beta.0, < 16.0.9; >= 16.1.0-canary.0, < 16.1.0-canary.17	14.2.34, 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 15.6.0-canary.59, 16.0.9, 16.1.0-canary.17	Advisory
2025-12-03	Next.js is vulnerable to RCE in React flight protocol A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182. Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+ The vulnerability also affects experimental canary releases startin… Component: next	Critical	>= 14.3.0-canary.77, < 15.0.5; >= 15.2.0-canary.0, < 15.2.6; >= 15.3.0-canary.0, < 15.3.6; >= 15.4.0-canary.0, < 15.4.8; >= 16.0.0-canary.0, < 16.0.7; >= 15.1.0-canary.0, < 15.1.9; >= 15.5.0-canary.0, < 15.5.7	15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7	Advisory
2025-08-29	Next.js Affected by Cache Key Confusion for Image Optimization API Routes A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. More details at [Vercel Changelog](https://vercel.com/changelog/cve-202… Component: next	Medium	>= 15.0.0, <= 15.4.4; >= 0.9.9, < 14.2.31	14.2.31, 15.4.5	CVE-2025-57752
2025-08-29	Next.js Content Injection Vulnerability for Image Optimization A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated. More details at [Vercel Changelog](http… Component: next	Medium	>= 15.0.0, <= 15.4.4; >= 0.9.9, < 14.2.31	14.2.31, 15.4.5	CVE-2025-55173
2025-08-29	Next.js Improper Middleware Redirect Handling Leads to SSRF A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function. Mo… Component: next	Medium	>= 15.0.0-canary.0, < 15.4.7; >= 0.9.9, < 14.2.32	14.2.32, 15.4.7	CVE-2025-57822
2025-07-03	Next.js has a Cache poisoning vulnerability due to omission of the Vary header Summary A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3. Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior. More details: CVE-2025-49005 Component: next	Low	>= 15.3.0, < 15.3.3	15.3.3	CVE-2025-49005
2025-07-03	Next.JS vulnerability can lead to DoS via cache poisoning Summary A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page More details: CVE-2025-49826 Credits Allam Rachid [zhero;](https://zhero-web-sec.github.io… Component: next	High	>= 15.0.4-canary.51, < 15.1.8	15.1.8	CVE-2025-49826
2025-05-28	Information exposure in Next.js dev server due to lack of origin verification Summary A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while `npm run dev` is active. Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure `allowedDevOrigins` in your next con… Component: next	Low	>= 15.0.0, < 15.2.2; >= 13.0, < 14.2.30	14.2.30, 15.2.2	CVE-2025-48068
2025-05-15	Next.js Race Condition to Cache Poisoning Summary We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. Learn more here Credit Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program. Component: next	Low	>= 15.0.0, < 15.1.6; >= 0.9.9, < 14.2.24	14.2.24, 15.1.6	CVE-2025-32421
2025-04-02	Next.js may leak x-middleware-subrequest-id to external hosts Summary In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers. Learn more here. Credit Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Sec… Component: next	Low	= 12.3.5; = 13.5.9; = 14.2.25; = 15.2.3	12.3.6, 13.5.10, 14.2.26, 15.2.4	CVE-2025-30218
2025-03-21	Authorization Bypass in Next.js Middleware Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. Patches For Next.js 15.x, this issue is fixed in `15.2.3` For Next.js 14.x, this issue is fixed in `14.2.25` For Next.js 13.x, this issue is fixed in 13.5.9 For Next.js 12.x, this issue is fixed in 12.3.5 For Next.js 11.x, consult the below workaround. Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability. Workaround If… Component: next	Critical	>= 13.0.0, < 13.5.9; >= 14.0.0, < 14.2.25; >= 15.0.0, < 15.2.3; >= 12.0.0, < 12.3.5	12.3.5, 13.5.9, 14.2.25, 15.2.3	CVE-2025-29927
2025-01-03	Next.js Allows a Denial of Service (DoS) with Server Actions Impact A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time. Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function… Component: next	Medium	>= 13.0.0, < 13.5.8; >= 14.0.0, < 14.2.21; >= 15.0.0, < 15.1.2	13.5.8, 14.2.21, 15.1.2	CVE-2024-56332
2024-12-17	Next.js authorization bypass vulnerability Impact If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed. Patches This issue was patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. Workarounds There are no official workarounds for this vulnerability. Credits We’d like to thank tyage (GMO CyberSecurity by IE… Component: next	High	>= 9.5.5, < 14.2.15	14.2.15	CVE-2024-51479
2024-10-14	Denial of Service condition in Next.js image optimization Impact The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Not affected: The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value. The Next.js application is hosted on Vercel. Patches This issue was fully patched in Next.js `14.2.7`. We recommend that users upgrade to at least this version. Workaro… Component: next	Medium	>= 10.0.0, < 14.2.7	14.2.7	CVE-2024-47831
2024-09-17	Next.js Cache Poisoning Impact By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: Next.js between 13.5.1 and 14.2.9 Using pages… Component: next	High	>= 13.5.1, < 13.5.7; >= 14.0.0, < 14.2.10	13.5.7, 14.2.10	CVE-2024-46982
2024-07-10	Next.js Denial of Service (DoS) condition Impact A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. This vulnerability can affect all Next.js deployments on the affected versions. Patches This vulnerability was resolved in Next.js 13.5 and later. We recommend that users upgrade to a safe version. Workarounds There are no official workarounds for this vulnerability. Credit Thai Vu of flyseccorp.com Aonan… Component: next	High	>= 13.3.1, < 13.5.0	13.5.0	CVE-2024-39693
2024-05-09	Next.js Server-Side Request Forgery in Server Actions Impact A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. Prerequisites Next.js (`<14.1.1`) is running in a self-hosted* manner. The Next.js application makes use of Server Actions. The Server Action performs a redirect to a relative pa… Component: next	High	>= 13.4.0, < 14.1.1	14.1.1	CVE-2024-34351
2024-05-09	Next.js Vulnerable to HTTP Request Smuggling Impact Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js. Patches The vulnerability is resolved in Next… Component: next	High	>= 13.4.0, < 13.5.1	13.5.1	CVE-2024-34350
2023-10-22	Next.js missing cache-control header may lead to CDN caching empty reply Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets. Component: next	Low	>= 0.9.9, < 13.4.20-canary.13	13.4.20-canary.13	CVE-2023-46298
2022-08-30	Unexpected server crash in Next.js Impact When specific requests are made to the Next.js server it can cause an `unhandledRejection` in the server which can crash the process to exit in specific Node.js versions with strict `unhandledRejection` handling. Affected: All of the following must be true to be affected by this CVE Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting Next.js version v12.2.3 Using next start or a custom server No… Component: next	Medium	= 12.2.3	12.2.4	CVE-2022-36046
2022-02-17	Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0 Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue.… Component: next	Medium	>= 10.0.0, < 12.1.0	12.1.0	CVE-2022-23646
2022-01-28	Denial of Service Vulnerability in next.js Impact Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version >= 12.0.0, and using i18n functionality. Affected: All of the following must be true to be affected by this CVE Next.js versions above v12.0.0 Using next start or a custom server Using the built-in i18n support Not affected: Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reac… Component: next	Medium	>= 12.0.0, < 12.0.9	12.0.9	CVE-2022-21721
2021-12-07	Unexpected server crash in Next.js. Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version… Component: next	High	>= 12.0.0, < 12.0.5; >= 0.9.9, < 11.1.3	11.1.3, 12.0.5	CVE-2021-43803
2021-09-01	XSS in Image Optimization API for Next.js Impact Affected: All of the following must be true to be affected Next.js between version 10.0.0 and 11.1.0 The `next.config.js` file has `images.domains` array assigned The image host assigned in `images.domains` allows user-provided SVG Not affected: The `next.config.js` file has [`images.loader`](https://nextjs.org/docs/basic-features/image-o… Component: next	High	>= 10.0.0, < 11.1.1	11.1.1	CVE-2021-39178
2021-08-12	Open Redirect in Next.js Impact Affected: Users of Next.js between `10.0.5` and `10.2.0` Affected: Users of Nex… Component: next	Medium	>= 0.9.9, < 11.1.0	11.1.0	CVE-2021-37699
2020-10-08	Open Redirect in Next.js versions Impact Affected: Users of Next.js between 9.5.0 and 9.5.3 Not affected: Deployments on Vercel (https://vercel.com) are not affected Not affected: Deployments using `next export` We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. Patches https://github.com/vercel/next.js/releases/tag/v9.5.4 References https://github.com/vercel/next.js/releases/tag/v9.5.4 Component: next	Medium	>= 9.5.0, < 9.5.4	9.5.4	CVE-2020-15242
2020-09-04	Remote Code Execution in next Recommendation Upgrade to version 5.1.0. Component: next	High	>= 0.9.9, < 5.1.0	5.1.0	Advisory
2020-03-30	Directory Traversal in Next.js Impact Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected Not affected: Deployments using the `serverless` target Not affected: Deployments using `next export` Affected: Users of Next.js below 9.3.2 We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. Patches https://github.com/zeit/next.js/releases/tag/v9.3.2 References https://github.com/zeit/next.js/releases/tag/v9.3.2 Component: next	Medium	>= 0.9.9, < 9.3.2	9.3.2	CVE-2020-5284
2018-10-15	Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. Component: next	Medium	>= 7.0.0, < 7.0.2	7.0.2	CVE-2018-18282
2018-01-24	Directory traversal vulnerability in Next.js Next.js 4 before 4.2.3 has Directory Traversal under the `/_next` request namespace. Component: next	High	>= 1.0.0, < 4.2.3	4.2.3	CVE-2018-6184
2017-12-05	Next.js Directory Traversal Vulnerability Next.js before 2.4.1 has directory traversal under the `/_next` and `/static` request namespace, allowing attackers to obtain sensitive information. Component: next	High	>= 1.0.0, < 2.4.1	2.4.1	CVE-2017-16877

nextjs-ghsa-h64f-5h5j-jqjh · 2026-05-11

Medium

Next.js has a Denial of Service in the Image Optimization API

Impact

When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed).

If you are using images.localPatterns, only the patterns in that array are impacted.
If you are using `images.unoptimized: true…

Affected versions: >= 10.0.0, < 15.5.16; >= 16.0.0, < 16.2.5
Fixed in: 15.5.16, 16.2.5
CVSS: 5.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
Workaround: Upgrade to a fixed release

CVE-2026-44577

nextjs-ghsa-267c-6grr-h53f · 2026-05-11

High

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes

Impact

App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check.

Fix

We now include App Router transport variants when gene…

Affected versions: >= 15.2.0, < 15.5.16; >= 16.0.0, < 16.2.5
Fixed in: 15.5.16, 16.2.5
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-288: Authentication Bypass Using an Alternate Path or Channel
Workaround: Upgrade to a fixed release

CVE-2026-44575

nextjs-ghsa-26hh-7cqf-hhc6 · 2026-05-11

High

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

Impact

It was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. Refer to CVE-2026-44575 for further details.

References

CVE CVE-2026-44575

Affected versions: >= 15.2.0, < 15.5.18; >= 16.0.0, < 16.2.6
Fixed in: 15.5.18, 16.2.6
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-288: Authentication Bypass Using an Alternate Path or Channel
Workaround: Upgrade to a fixed release

CVE-2026-45109

nextjs-ghsa-36qx-fr4f-26g5 · 2026-05-11

High

Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

Impact

Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data/<buildId>/<page>.json requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks.

Fix

The matcher logic was updated to perform the same match as it would on a non-i18n d…

Affected versions: >= 12.2.0, < 15.5.16; >= 16.0.0, < 16.2.5
Fixed in: 15.5.16, 16.2.5
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-863: Incorrect Authorization
Workaround: Upgrade to a fixed release

CVE-2026-44573

nextjs-ghsa-gx5p-jg67-6x7h · 2026-05-11

Medium

Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

Impact

Applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor’s browser.

Fix

We now HTML-escape serialized beforeInteractive script content before embedding it into the page, preventing atta…

Affected versions: >= 13.0.0, < 15.5.16; >= 16.0.0, < 16.2.5
Fixed in: 15.5.16, 16.2.5
CVSS: 6.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Workaround: Upgrade to a fixed release

CVE-2026-44580

nextjs-ghsa-wfc6-r584-vfw7 · 2026-05-11

Medium

Next.js vulnerable to cache poisoning in React Server Component responses

Impact

Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML.

Fix

We now validate and interpret RSC request headers consistently across request classification and rendering, and we enforce the intended cache-b…

Affected versions: >= 14.2.0, < 15.5.16; >= 16.0.0, < 16.2.5
Fixed in: 15.5.16, 16.2.5
CVSS: 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L
CWE: CWE-436: Interpretation Conflict
Workaround: Upgrade to a fixed release

CVE-2026-44576

nextjs-ghsa-vfv6-92ff-j949 · 2026-05-11

Low

Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting

Impact

React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL.

Fix

We strengthened the _rsc cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cach…

Affected versions: >= 13.4.6, < 15.5.16; >= 16.0.0, < 16.2.5
Fixed in: 15.5.16, 16.2.5
CVSS: 3.7 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-328: Use of Weak Hash
Workaround: Upgrade to a fixed release

CVE-2026-44582

nextjs-ghsa-mg66-mrh9-m8jx · 2026-05-11

High

Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components

Impact

Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service.

Fix

We now treat the header used for resuming Partial Prerendered requests as an internal-only…

Affected versions: >= 15.0.0, < 15.5.16; >= 16.0.0, < 16.2.5
Fixed in: 15.5.16, 16.2.5
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
Workaround: Upgrade to a fixed release

CVE-2026-44579

nextjs-ghsa-8h8q-6873-q5fj · 2026-05-11

High

Next.js Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23870.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatche…

Affected versions: >= 13.0.0, < 15.5.16; >= 16.0.0, < 16.2.5
Fixed in: 15.5.16, 16.2.5
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
Workaround: Upgrade to a fixed release

View advisory

nextjs-ghsa-3g8h-86w9-wvmq · 2026-05-11

Low

Next.js’s Middleware / Proxy redirects can be cache-poisoned

Impact

Next.js uses the x-nextjs-data request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect.

When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients.…

Affected versions: >= 12.2.0, < 15.5.16; >= 16.0.0, < 16.2.5
Fixed in: 15.5.16, 16.2.5
CVSS: 3.7 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Workaround: Upgrade to a fixed release

CVE-2026-44572

nextjs-ghsa-q4gf-8mx6-v5v3 · 2026-04-10

High

Next.js has a Denial of Service with Server Components

A specially crafted HTTP request can be sent to any App Router Server Function…

Affected versions: >= 13.0.0, < 15.5.15; >= 16.0.0-beta.0, < 16.2.3
Fixed in: 15.5.15, 16.2.3
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
Workaround: Upgrade to a fixed release

View advisory

nextjs-ghsa-ggv3-7p47-pfv8 · 2026-03-17

Medium

Next.js: HTTP request smuggling in rewrites

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applicati…

Affected versions: >= 16.0.0-beta.0, < 16.1.7; >= 9.5.0, < 15.5.13
Fixed in: 15.5.13, 16.1.7
CVSS: Not listed
CWE: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Workaround: Upgrade to a fixed release

CVE-2026-29057

nextjs-ghsa-jcc7-9wpm-mj36 · 2026-03-17

Low

Next.js: null origin can bypass dev HMR websocket CSRF checks

Summary

In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.

Impact

If a developer visits attacker-controlled content while running an affected next dev se…

Affected versions: >= 16.0.1, < 16.1.7
Fixed in: 16.1.7
CVSS: Not listed
CWE: CWE-1385: Missing Origin Validation in WebSockets
Workaround: Upgrade to a fixed release

CVE-2026-27977

nextjs-ghsa-mq59-m269-xvcx · 2026-03-17

Medium

Next.js: null origin can bypass Server Actions CSRF checks

Summary

origin: null was treated as a “missing” origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.

Impact

An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).

Patches

Fixed by treating 'null' as an explicit origin value and enforcing ho…

Affected versions: >= 16.0.1, < 16.1.7
Fixed in: 16.1.7
CVSS: Not listed
CWE: CWE-352: Cross-Site Request Forgery (CSRF)
Workaround: Upgrade to a fixed release

CVE-2026-27978

nextjs-ghsa-3x4c-7xq6-9pq8 · 2026-03-17

Medium

Next.js: Unbounded next/image disk cache growth can exhaust storage

Summary

The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.

Impact

An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-us…

Affected versions: >= 16.0.0-beta.0, < 16.1.7; >= 10.0.0, < 15.5.14
Fixed in: 15.5.14, 16.1.7
CVSS: Not listed
CWE: CWE-400: Uncontrolled Resource Consumption
Workaround: Upgrade to a fixed release

CVE-2026-27980

nextjs-ghsa-h27x-g6w4-24gq · 2026-03-17

Medium

Next.js: Unbounded postponed resume buffering can lead to DoS

Summary

A request containing the next-resume: 1 header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.

Impact

In applications using the App Router with Partial Prerendering capability enabled (via experimental.ppr or `cacheCompon…

Affected versions: >= 16.0.1, < 16.1.7
Fixed in: 16.1.7
CVSS: Not listed
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
Workaround: Upgrade to a fixed release

CVE-2026-27979

nextjs-ghsa-5f7q-jpqc-wp7h · 2026-01-28

Medium

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() wi…

Affected versions: >= 16.0.0-beta.0, < 16.1.5; >= 15.6.0-canary.0, < 15.6.0-canary.61; >= 15.0.0-canary.0, <= 15.0.0-canary.205; >= 15.0.1-canary.0, <= 15.0.1-canary.3; >= 15.0.2-canary.0, <= 15.0.2-canary.11; >= 15.0.3-canary.0, <= 15.0.3-canary.9; >= 15.0.4-canary.0, <= 15.0.4-canary.52; >= 15.1.1-canary.0, <= 15.1.1-canary.27; >= 15.2.0-canary.0, <= 15.2.0-canary.77; >= 15.2.1-canary.0, <= 15.2.1-canary.6; >= 15.2.2-canary.0, <= 15.2.2-canary.7; >= 15.3.0-canary.0, <= 15.3.0-canary.46; >= 15.3.1-canary.0, <= 15.3.1-canary.15; >= 15.4.0-canary.0, <= 15.4.0-canary.130; >= 15.4.2-canary.0, <= 15.4.2-canary.56; >= 15.5.1-canary.0, <= 15.5.1-canary.39
Fixed in: 15.6.0-canary.61, 16.1.5
CVSS: 5.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption, CWE-409: Improper Handling of Highly Compressed Data (Data Amplification), CWE-770: Allocation of Resources Without Limits or Throttling
Workaround: Upgrade to a fixed release

CVE-2025-59472

nextjs-ghsa-h25m-26qc-wcjf · 2026-01-28

High

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, o…

Affected versions: >= 13.0.0, < 15.0.8; >= 15.1.1-canary.0, < 15.1.12; >= 15.2.0-canary.0, < 15.2.9; >= 15.3.0-canary.0, < 15.3.9; >= 15.4.0-canary.0, < 15.4.11; >= 15.5.1-canary.0, < 15.5.10; >= 15.6.0-canary.0, < 15.6.0-canary.61; >= 16.0.0-beta.0, < 16.0.11; >= 16.1.0-canary.0, < 16.1.5
Fixed in: 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption, CWE-502: Deserialization of Untrusted Data
Workaround: Upgrade to a fixed release

View advisory

nextjs-ghsa-9g9p-9gw9-jx7f · 2026-01-27

Medium

Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or c…

Affected versions: >= 10.0.0, < 15.5.10; >= 15.6.0-canary.0, < 16.1.5
Fixed in: 15.5.10, 16.1.5
CVSS: 5.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption, CWE-770: Allocation of Resources Without Limits or Throttling
Workaround: Upgrade to a fixed release

CVE-2025-59471

nextjs-ghsa-5j59-xgg2-r9c4 · 2025-12-12

High

Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Rout…

Affected versions: >= 13.3.1-canary.0, < 14.2.35; >= 15.0.6, < 15.0.7; >= 15.1.10, < 15.1.11; >= 15.2.7, < 15.2.8; >= 15.3.7, < 15.3.8; >= 15.4.9, < 15.4.10; >= 15.5.8, < 15.5.9; >= 15.6.0-canary.59, < 15.6.0-canary.60; >= 16.0.9, < 16.0.10; >= 16.1.0-canary.17, < 16.1.0-canary.19
Fixed in: 14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, 15.6.0-canary.60, 16.0.10, 16.1.0-canary.19
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption, CWE-502: Deserialization of Untrusted Data, CWE-1395: Dependency on Vulnerable Third-Party Component
Workaround: Upgrade to a fixed release

View advisory

nextjs-ghsa-w37m-7fhw-fmv9 · 2025-12-11

Medium

Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This cou…

Affected versions: >= 15.0.0-canary.0, < 15.0.6; >= 15.1.1-canary.0, < 15.1.10; >= 15.2.0-canary.0, < 15.2.7; >= 15.3.0-canary.0, < 15.3.7; >= 15.4.0-canary.0, < 15.4.9; >= 15.5.1-canary.0, < 15.5.8; >= 15.6.0-canary.0, < 15.6.0-canary.59; >= 16.0.0-beta.0, < 16.0.9; >= 16.1.0-canary.0, < 16.1.0-canary.17
Fixed in: 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 15.6.0-canary.59, 16.0.9, 16.1.0-canary.17
CVSS: 5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere, CWE-502: Deserialization of Untrusted Data, CWE-1395: Dependency on Vulnerable Third-Party Component
Workaround: Upgrade to a fixed release

View advisory

nextjs-ghsa-mwv6-3258-q52c · 2025-12-11

High

Next Vulnerable to Denial of Service with Server Components

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unp…

Affected versions: >= 13.3.0, < 14.2.34; >= 15.0.0-canary.0, < 15.0.6; >= 15.1.1-canary.0, < 15.1.10; >= 15.2.0-canary.0, < 15.2.7; >= 15.3.0-canary.0, < 15.3.7; >= 15.4.0-canary.0, < 15.4.9; >= 15.5.1-canary.0, < 15.5.8; >= 15.6.0-canary.0, < 15.6.0-canary.59; >= 16.0.0-beta.0, < 16.0.9; >= 16.1.0-canary.0, < 16.1.0-canary.17
Fixed in: 14.2.34, 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 15.6.0-canary.59, 16.0.9, 16.1.0-canary.17
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption, CWE-502: Deserialization of Untrusted Data, CWE-1395: Dependency on Vulnerable Third-Party Component
Workaround: Upgrade to a fixed release

View advisory

nextjs-ghsa-9qr9-h5gf-34mp · 2025-12-03

Critical

Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases startin…

Affected versions: >= 14.3.0-canary.77, < 15.0.5; >= 15.2.0-canary.0, < 15.2.6; >= 15.3.0-canary.0, < 15.3.6; >= 15.4.0-canary.0, < 15.4.8; >= 16.0.0-canary.0, < 16.0.7; >= 15.1.0-canary.0, < 15.1.9; >= 15.5.0-canary.0, < 15.5.7
Fixed in: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
CVSS: 10 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-502: Deserialization of Untrusted Data
Workaround: Upgrade to a fixed release

View advisory

nextjs-ghsa-g5qg-72qw-gw5v · 2025-08-29

Medium

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at [Vercel Changelog](https://vercel.com/changelog/cve-202…

Affected versions: >= 15.0.0, <= 15.4.4; >= 0.9.9, < 14.2.31
Fixed in: 14.2.31, 15.4.5
CVSS: 6.2 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-524: Use of Cache Containing Sensitive Information
Workaround: Upgrade to a fixed release

CVE-2025-57752

nextjs-ghsa-xv57-4mr9-wg8v · 2025-08-29

Medium

Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at [Vercel Changelog](http…

Affected versions: >= 15.0.0, <= 15.4.4; >= 0.9.9, < 14.2.31
Fixed in: 14.2.31, 15.4.5
CVSS: 4.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-20: Improper Input Validation
Workaround: Upgrade to a fixed release

CVE-2025-55173

nextjs-ghsa-4342-x723-ch2f · 2025-08-29

Medium

Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

Mo…

Affected versions: >= 15.0.0-canary.0, < 15.4.7; >= 0.9.9, < 14.2.32
Fixed in: 14.2.32, 15.4.7
CVSS: 6.5 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-918: Server-Side Request Forgery (SSRF)
Workaround: Upgrade to a fixed release

CVE-2025-57822

nextjs-ghsa-r2fc-ccr8-96c4 · 2025-07-03

Low

Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Summary

A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.

More details: CVE-2025-49005

Affected versions: >= 15.3.0, < 15.3.3
Fixed in: 15.3.3
CVSS: 3.7 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Workaround: Upgrade to a fixed release

CVE-2025-49005

nextjs-ghsa-67rr-84xm-4c7r · 2025-07-03

High

Next.JS vulnerability can lead to DoS via cache poisoning

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

Allam Rachid [zhero;](https://zhero-web-sec.github.io…

Affected versions: >= 15.0.4-canary.51, < 15.1.8
Fixed in: 15.1.8
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Workaround: Upgrade to a fixed release

CVE-2025-49826

nextjs-ghsa-3h52-269p-cp9r · 2025-05-28

Low

Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next con…

Affected versions: >= 15.0.0, < 15.2.2; >= 13.0, < 14.2.30
Fixed in: 14.2.30, 15.2.2
CVSS: Not listed
CWE: CWE-1385: Missing Origin Validation in WebSockets
Workaround: Upgrade to a fixed release

CVE-2025-48068

nextjs-ghsa-qpjv-v59x-3qc4 · 2025-05-15

Low

Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

Affected versions: >= 15.0.0, < 15.1.6; >= 0.9.9, < 14.2.24
Fixed in: 14.2.24, 15.1.6
CVSS: 3.7 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Workaround: Upgrade to a fixed release

CVE-2025-32421

nextjs-ghsa-223j-4rm8-mrmf · 2025-04-02

Low

Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Sec…

Affected versions: = 12.3.5; = 13.5.9; = 14.2.25; = 15.2.3
Fixed in: 12.3.6, 13.5.10, 14.2.26, 15.2.4
CVSS: Not listed
CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Workaround: Upgrade to a fixed release

CVE-2025-30218

nextjs-ghsa-f82v-jwr5-mffw · 2025-03-21

Critical

Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

For Next.js 15.x, this issue is fixed in 15.2.3
For Next.js 14.x, this issue is fixed in 14.2.25
For Next.js 13.x, this issue is fixed in 13.5.9
For Next.js 12.x, this issue is fixed in 12.3.5
For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If…

Affected versions: >= 13.0.0, < 13.5.9; >= 14.0.0, < 14.2.25; >= 15.0.0, < 15.2.3; >= 12.0.0, < 12.3.5
Fixed in: 12.3.5, 13.5.9, 14.2.25, 15.2.3
CVSS: 9.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-285: Improper Authorization, CWE-863: Incorrect Authorization
Workaround: Upgrade to a fixed release

CVE-2025-29927

nextjs-ghsa-7m27-7ghc-44w9 · 2025-01-03

Medium

Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function…

Affected versions: >= 13.0.0, < 13.5.8; >= 14.0.0, < 14.2.21; >= 15.0.0, < 15.1.2
Fixed in: 13.5.8, 14.2.21, 15.1.2
CVSS: 5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
Workaround: Upgrade to a fixed release

CVE-2024-56332

nextjs-ghsa-7gfc-8cq8-jh5f · 2024-12-17

High

Next.js authorization bypass vulnerability

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We’d like to thank tyage (GMO CyberSecurity by IE…

Affected versions: >= 9.5.5, < 14.2.15
Fixed in: 14.2.15
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-285: Improper Authorization, CWE-863: Incorrect Authorization
Workaround: Upgrade to a fixed release

CVE-2024-51479

nextjs-ghsa-g77x-44xx-532m · 2024-10-14

Medium

Denial of Service condition in Next.js image optimization

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workaro…

Affected versions: >= 10.0.0, < 14.2.7
Fixed in: 14.2.7
CVSS: 5.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-674: Uncontrolled Recursion
Workaround: Upgrade to a fixed release

CVE-2024-47831

nextjs-ghsa-gp8f-8m3g-qvj9 · 2024-09-17

High

Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

Next.js between 13.5.1 and 14.2.9
Using pages…

Affected versions: >= 13.5.1, < 13.5.7; >= 14.0.0, < 14.2.10
Fixed in: 13.5.7, 14.2.10
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data, CWE-639: Authorization Bypass Through User-Controlled Key
Workaround: Upgrade to a fixed release

CVE-2024-46982

nextjs-ghsa-fq54-2j52-jc42 · 2024-07-10

High

Next.js Denial of Service (DoS) condition

Impact

A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server.

This vulnerability can affect all Next.js deployments on the affected versions.

Patches

This vulnerability was resolved in Next.js 13.5 and later. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credit

Thai Vu of flyseccorp.com
Aonan…

Affected versions: >= 13.3.1, < 13.5.0
Fixed in: 13.5.0
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption
Workaround: Upgrade to a fixed release

CVE-2024-39693

nextjs-ghsa-fr5h-rqp8-mj6g · 2024-05-09

High

Next.js Server-Side Request Forgery in Server Actions

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

Next.js (<14.1.1) is running in a self-hosted* manner.
The Next.js application makes use of Server Actions.
The Server Action performs a redirect to a relative pa…

Affected versions: >= 13.4.0, < 14.1.1
Fixed in: 14.1.1
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-918: Server-Side Request Forgery (SSRF)
Workaround: Upgrade to a fixed release

CVE-2024-34351

nextjs-ghsa-77r5-gw3j-2mpf · 2024-05-09

High

Next.js Vulnerable to HTTP Request Smuggling

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next…

Affected versions: >= 13.4.0, < 13.5.1
Fixed in: 13.5.1
CVSS: 7.5 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
CWE: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Workaround: Upgrade to a fixed release

CVE-2024-34350

nextjs-ghsa-c59h-r6p8-q9wc · 2023-10-22

Low

Next.js missing cache-control header may lead to CDN caching empty reply

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

Affected versions: >= 0.9.9, < 13.4.20-canary.13
Fixed in: 13.4.20-canary.13
CVSS: Not listed
CWE: Not listed
Workaround: Upgrade to a fixed release

CVE-2023-46298

nextjs-ghsa-wff4-fpwg-qqv3 · 2022-08-30

Medium

Unexpected server crash in Next.js

Impact

When specific requests are made to the Next.js server it can cause an unhandledRejection in the server which can crash the process to exit in specific Node.js versions with strict unhandledRejection handling.

Affected: All of the following must be true to be affected by this CVE
- Node.js version above v15.0.0 being used with strict unhandledRejection exiting
- Next.js version v12.2.3
- Using next start or a custom server
No…

Affected versions: = 12.2.3
Fixed in: 12.2.4
CVSS: 5.3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-248: Uncaught Exception, CWE-754: Improper Check for Unusual or Exceptional Conditions
Workaround: Upgrade to a fixed release

CVE-2022-36046

nextjs-ghsa-fmvm-x8mv-47mj · 2022-02-17

Medium

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in images.domains must allow user-provided SVG. If the next.config.js file has images.loader assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue.…

Affected versions: >= 10.0.0, < 12.1.0
Fixed in: 12.1.0
CVSS: 5.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-451: User Interface (UI) Misrepresentation of Critical Information
Workaround: Upgrade to a fixed release

CVE-2022-23646

nextjs-ghsa-wr66-vrwm-5g5x · 2022-01-28

Medium

Denial of Service Vulnerability in next.js

Impact

Vulnerable code could allow a bad actor to trigger a denial of service attack for anyone running a Next.js app at version >= 12.0.0, and using i18n functionality.

Affected: All of the following must be true to be affected by this CVE
- Next.js versions above v12.0.0
- Using next start or a custom server
- Using the built-in i18n support
Not affected:
- Deployments on Vercel (vercel.com) are not affected along with similar environments where invalid requests are filtered before reac…

Affected versions: >= 12.0.0, < 12.0.9
Fixed in: 12.0.9
CVSS: 5.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20: Improper Input Validation, CWE-400: Uncontrolled Resource Consumption
Workaround: Upgrade to a fixed release

CVE-2022-21721

nextjs-ghsa-25mp-g6fv-mqxx · 2021-12-07

High

Unexpected server crash in Next.js.

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version…

Affected versions: >= 12.0.0, < 12.0.5; >= 0.9.9, < 11.1.3
Fixed in: 11.1.3, 12.0.5
CVSS: 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20: Improper Input Validation
Workaround: Upgrade to a fixed release

CVE-2021-43803

nextjs-ghsa-9gr3-7897-pp7m · 2021-09-01

High

XSS in Image Optimization API for Next.js

Impact

Affected: All of the following must be true to be affected
- Next.js between version 10.0.0 and 11.1.0
- The next.config.js file has images.domains array assigned
- The image host assigned in images.domains allows user-provided SVG
Not affected: The next.config.js file has [images.loader](https://nextjs.org/docs/basic-features/image-o…

Affected versions: >= 10.0.0, < 11.1.1
Fixed in: 11.1.1
CVSS: 7.5 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Workaround: Upgrade to a fixed release

CVE-2021-39178

nextjs-ghsa-vxf5-wxwp-m7g9 · 2021-08-12

Medium

Open Redirect in Next.js

Impact

Affected: Users of Next.js between 10.0.5 and 10.2.0
Affected: Users of Nex…

Affected versions: >= 0.9.9, < 11.1.0
Fixed in: 11.1.0
CVSS: 6.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N
CWE: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Workaround: Upgrade to a fixed release

CVE-2021-37699

nextjs-ghsa-x56p-c8cg-q435 · 2020-10-08

Medium

Open Redirect in Next.js versions

Impact

Affected: Users of Next.js between 9.5.0 and 9.5.3
Not affected: Deployments on Vercel (https://vercel.com) are not affected
Not affected: Deployments using next export

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

Patches

https://github.com/vercel/next.js/releases/tag/v9.5.4

References

https://github.com/vercel/next.js/releases/tag/v9.5.4

Affected versions: >= 9.5.0, < 9.5.4
Fixed in: 9.5.4
CVSS: 4.7 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Workaround: Upgrade to a fixed release

CVE-2020-15242

nextjs-ghsa-5vj8-3v2h-h38v · 2020-09-04

High

Remote Code Execution in next

Recommendation

Upgrade to version 5.1.0.

Affected versions: >= 0.9.9, < 5.1.0
Fixed in: 5.1.0
CVSS: Not listed
CWE: CWE-20: Improper Input Validation
Workaround: Upgrade to a fixed release

View advisory

nextjs-ghsa-fq77-7p7r-83rj · 2020-03-30

Medium

Directory Traversal in Next.js

Impact

Not affected: Deployments on ZEIT Now v2 (https://zeit.co) are not affected
Not affected: Deployments using the serverless target
Not affected: Deployments using next export
Affected: Users of Next.js below 9.3.2

We recommend everyone to upgrade regardless of whether you can reproduce the issue or not.

Patches

https://github.com/zeit/next.js/releases/tag/v9.3.2

References

https://github.com/zeit/next.js/releases/tag/v9.3.2

Affected versions: >= 0.9.9, < 9.3.2
Fixed in: 9.3.2
CVSS: 4.4 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-23: Relative Path Traversal
Workaround: Upgrade to a fixed release

CVE-2020-5284

nextjs-ghsa-qw96-mm2g-c8m7 · 2018-10-15

Medium

Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page

Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.

Affected versions: >= 7.0.0, < 7.0.2
Fixed in: 7.0.2
CVSS: 6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Workaround: Upgrade to a fixed release

CVE-2018-18282

nextjs-ghsa-m34x-wgrh-g897 · 2018-01-24

High

Directory traversal vulnerability in Next.js

Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace.

Affected versions: >= 1.0.0, < 4.2.3
Fixed in: 4.2.3
CVSS: 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Workaround: Upgrade to a fixed release

CVE-2018-6184

nextjs-ghsa-3f5c-4qxj-vmpf · 2017-12-05

High

Next.js Directory Traversal Vulnerability

Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.

Affected versions: >= 1.0.0, < 2.4.1
Fixed in: 2.4.1
CVSS: 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Workaround: Upgrade to a fixed release

CVE-2017-16877

Is this a full Next.js release changelog?

No. This is a security changelog, not a general release changelog. It is intentionally limited to vulnerability fixes and security-impacting patches so developers, security teams, and AI search systems can answer upgrade-risk questions without sorting through unrelated framework changes.