Vulnerable Library - @stryke/trpc-next-0.5.87.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2025-55182
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Publish Date: 2025-12-03
URL: CVE-2025-55182
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fv66-9v8q-g76r
Release Date: 2025-12-03
Fix Resolution: next - 15.0.5,next - 15.4.8,next - 15.5.7,next - 15.1.9,next - 16.0.7,next - 15.2.6,next - 15.3.6,react-server-dom-turbopack - 19.1.2,https://github.com/facebook/react.git - v19.1.2,https://github.com/facebook/react.git - v19.0.1,https://github.com/facebook/react.git - v19.2.1,react-server-dom-turbopack - 19.2.1,react-server-dom-parcel - 19.1.2,react-server-dom-turbopack - 19.0.1,react-server-dom-webpack - 19.0.1,react-server-dom-webpack - 19.1.2,react-server-dom-webpack - 19.2.1,react-server-dom-parcel - 19.2.1
Step up your Open Source Security Game with Mend here
CVE-2026-44578
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. Fix We now apply the same safety checks to WebSocket upgrade handling that already existed for normal HTTP requests, so upgrade requests are only proxied when routing has explicitly marked them as safe external rewrites. Workarounds If you cannot upgrade immediately, do not expose the origin server directly to untrusted networks. If WebSocket upgrades are not required, block them at your reverse proxy or load balancer, and restrict origin egress to internal networks and metadata services where possible.
Publish Date: 2026-05-11
URL: CVE-2026-44578
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c4j6-fc7j-m34r
Release Date: 2026-05-05
Fix Resolution: next - 16.2.5,next - 15.5.16
Step up your Open Source Security Game with Mend here
CVE-2026-45109
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact It was found that the fix addressing "CVE-2026-44575" (GHSA-267c-6grr-h53f) did not apply to "middleware.ts" with Turbopack. Refer to "CVE-2026-44575" (GHSA-267c-6grr-h53f) for further details. References - "CVE CVE-2026-44575" (GHSA-267c-6grr-h53f)
Publish Date: 2026-05-11
URL: CVE-2026-45109
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-26hh-7cqf-hhc6
Release Date: 2026-05-11
Fix Resolution: next - 15.5.18,next - 16.2.6
Step up your Open Source Security Game with Mend here
CVE-2026-44579
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. Fix We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients. Workarounds If you cannot upgrade immediately, block requests that would be handled by Next.js if they contain the "Next-Resume" header at the edge.
Publish Date: 2026-05-11
URL: CVE-2026-44579
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mg66-mrh9-m8jx
Release Date: 2026-05-11
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
CVE-2026-44575
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted ".rsc" and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. Fix We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL. Workarounds If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.
Publish Date: 2026-05-11
URL: CVE-2026-44575
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-267c-6grr-h53f
Release Date: 2026-05-05
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
CVE-2026-44573
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Applications using the Pages Router with "i18n" configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less "/_next/data//.json" requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. Fix The matcher logic was updated to perform the same match as it would on a non-i18n data route. Workarounds If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.
Publish Date: 2026-05-11
URL: CVE-2026-44573
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-36qx-fr4f-26g5
Release Date: 2026-05-05
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
CVE-2025-67779
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Publish Date: 2025-12-11
URL: CVE-2025-67779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Release Date: 2025-12-12
Fix Resolution: next - 15.1.9,next - 15.2.6,next - 15.5.7,next - 15.3.6,react-server-dom-parcel - 19.2.3,next - 15.4.8,next - 15.0.5,next - 16.0.7,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.0.3,react-server-dom-turbopack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-webpack - 19.1.4,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
CVE-2025-55184
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Publish Date: 2025-12-11
URL: CVE-2025-55184
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Release Date: 2025-12-11
Fix Resolution: next - 15.3.6,react-server-dom-parcel - 19.2.3,next - 15.5.7,next - 15.1.9,next - 16.0.7,next - 15.0.5,next - 15.2.6,next - 15.4.8,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.1.4,react-server-dom-turbopack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-webpack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
CVE-2026-29057
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: 2026-03-18
URL: CVE-2026-29057
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-18
Fix Resolution: https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
Step up your Open Source Security Game with Mend here
CVE-2025-57822
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js Middleware versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-08-29
URL: CVE-2025-57822
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4342-x723-ch2f
Release Date: 2025-08-29
Fix Resolution: next - 14.2.32,next - 15.4.7,https://github.com/vercel/next.js.git - v14.2.32,https://github.com/vercel/next.js.git - v15.4.7
Step up your Open Source Security Game with Mend here
CVE-2025-57752
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
Publish Date: 2025-08-29
URL: CVE-2025-57752
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-g5qg-72qw-gw5v
Release Date: 2025-08-29
Fix Resolution: next - 15.4.5,next - 14.2.31
Step up your Open Source Security Game with Mend here
CVE-2026-44580
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Applications that use "beforeInteractive" scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. Fix We now HTML-escape serialized "beforeInteractive" script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary. Workarounds If you cannot upgrade immediately, do not pass untrusted data into "beforeInteractive" scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.
Publish Date: 2026-05-11
URL: CVE-2026-44580
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-gx5p-jg67-6x7h
Release Date: 2026-05-11
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
CVE-2026-44577
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the "/_next/image" endpoint that match the "images.localPatterns" configuration (by default, all patterns are allowed). - If you are using "images.localPatterns", only the patterns in that array are impacted. - If you are using "images.unoptimized: true", you are NOT impacted. - If you are using "images.loader: 'custom'", you are NOT impacted. - If you are using Vercel, you are NOT impacted. Fix We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory. This can be adjusted using the "images.maximumResponseBody" configuration. Workarounds If you cannot upgrade immediately, avoid routing large local assets through "/_next/image", disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge. You can disable using the "images.localPatterns: []" configuration. This will still allow fetching remote images (which is not impacted).
Publish Date: 2026-05-11
URL: CVE-2026-44577
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h64f-5h5j-jqjh
Release Date: 2026-05-11
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
CVE-2025-59471
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: 2026-01-26
URL: CVE-2025-59471
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: 2026-01-26
Fix Resolution: next - 15.5.10,next - 16.1.5
Step up your Open Source Security Game with Mend here
CVE-2026-44576
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. Fix We now validate and interpret "RSC" request headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL. Workarounds If you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors "Vary", or disable shared caching for affected App Router and RSC responses.
Publish Date: 2026-05-11
URL: CVE-2026-44576
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wfc6-r584-vfw7
Release Date: 2026-05-11
Fix Resolution: next - 16.2.5,next - 15.5.16
Step up your Open Source Security Game with Mend here
CVE-2026-27980
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Publish Date: 2026-03-18
URL: CVE-2026-27980
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-18
Fix Resolution: https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
Step up your Open Source Security Game with Mend here
CVE-2025-55183
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Publish Date: 2025-12-11
URL: CVE-2025-55183
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Release Date: 2025-12-11
Fix Resolution: next - 15.5.7,next - 15.4.8,next - 16.0.7,next - 15.1.9,next - 15.2.6,next - 15.3.6,next - 15.0.5,react-server-dom-webpack - 19.1.4,react-server-dom-turbopack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-parcel - 19.2.3,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.0.3,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
CVE-2026-44581
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. Fix We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context. Workarounds If you cannot upgrade immediately, strip inbound "Content-Security-Policy" request headers from untrusted traffic.
Publish Date: 2026-05-11
URL: CVE-2026-44581
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-ffhc-5mcf-pf4q
Release Date: 2026-05-11
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
CVE-2025-55173
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
Publish Date: 2025-08-29
URL: CVE-2025-55173
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xv57-4mr9-wg8v
Release Date: 2025-08-29
Fix Resolution: next - 14.2.31,next - 15.4.5
Step up your Open Source Security Game with Mend here
CVE-2026-44582
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.87.tgz (Root Library)
- next-11.17.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the "_rsc" cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. Fix We strengthened the "_rsc" cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries. Workarounds If you cannot upgrade immediately, ensure intermediary caches correctly honor "Vary" for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.
Publish Date: 2026-05-11
URL: CVE-2026-44582
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vfv6-92ff-j949
Release Date: 2026-05-11
Fix Resolution: next - 16.2.5,next - 15.5.16
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Publish Date: 2025-12-03
URL: CVE-2025-55182
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fv66-9v8q-g76r
Release Date: 2025-12-03
Fix Resolution: next - 15.0.5,next - 15.4.8,next - 15.5.7,next - 15.1.9,next - 16.0.7,next - 15.2.6,next - 15.3.6,react-server-dom-turbopack - 19.1.2,https://github.com/facebook/react.git - v19.1.2,https://github.com/facebook/react.git - v19.0.1,https://github.com/facebook/react.git - v19.2.1,react-server-dom-turbopack - 19.2.1,react-server-dom-parcel - 19.1.2,react-server-dom-turbopack - 19.0.1,react-server-dom-webpack - 19.0.1,react-server-dom-webpack - 19.1.2,react-server-dom-webpack - 19.2.1,react-server-dom-parcel - 19.2.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. Fix We now apply the same safety checks to WebSocket upgrade handling that already existed for normal HTTP requests, so upgrade requests are only proxied when routing has explicitly marked them as safe external rewrites. Workarounds If you cannot upgrade immediately, do not expose the origin server directly to untrusted networks. If WebSocket upgrades are not required, block them at your reverse proxy or load balancer, and restrict origin egress to internal networks and metadata services where possible.
Publish Date: 2026-05-11
URL: CVE-2026-44578
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c4j6-fc7j-m34r
Release Date: 2026-05-05
Fix Resolution: next - 16.2.5,next - 15.5.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact It was found that the fix addressing "CVE-2026-44575" (GHSA-267c-6grr-h53f) did not apply to "middleware.ts" with Turbopack. Refer to "CVE-2026-44575" (GHSA-267c-6grr-h53f) for further details. References - "CVE CVE-2026-44575" (GHSA-267c-6grr-h53f)
Publish Date: 2026-05-11
URL: CVE-2026-45109
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-26hh-7cqf-hhc6
Release Date: 2026-05-11
Fix Resolution: next - 15.5.18,next - 16.2.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. Fix We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients. Workarounds If you cannot upgrade immediately, block requests that would be handled by Next.js if they contain the "Next-Resume" header at the edge.
Publish Date: 2026-05-11
URL: CVE-2026-44579
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mg66-mrh9-m8jx
Release Date: 2026-05-11
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted ".rsc" and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. Fix We now include App Router transport variants when generating middleware matchers, so middleware protections are applied consistently to those requests as well as to the normal page URL. Workarounds If you cannot upgrade immediately, enforce authorization in the underlying route or page logic instead of relying solely on middleware.
Publish Date: 2026-05-11
URL: CVE-2026-44575
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-267c-6grr-h53f
Release Date: 2026-05-05
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Applications using the Pages Router with "i18n" configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less "/_next/data//.json" requests. In affected configurations, middleware does not run for the unprefixed data route, allowing an attacker to retrieve SSR JSON for protected pages without passing the intended authorization checks. Fix The matcher logic was updated to perform the same match as it would on a non-i18n data route. Workarounds If you cannot upgrade immediately, enforce authorization in the page's server-side data path instead of relying solely on middleware.
Publish Date: 2026-05-11
URL: CVE-2026-44573
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-36qx-fr4f-26g5
Release Date: 2026-05-05
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Publish Date: 2025-12-11
URL: CVE-2025-67779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Release Date: 2025-12-12
Fix Resolution: next - 15.1.9,next - 15.2.6,next - 15.5.7,next - 15.3.6,react-server-dom-parcel - 19.2.3,next - 15.4.8,next - 15.0.5,next - 16.0.7,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.0.3,react-server-dom-turbopack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-webpack - 19.1.4,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Publish Date: 2025-12-11
URL: CVE-2025-55184
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Release Date: 2025-12-11
Fix Resolution: next - 15.3.6,react-server-dom-parcel - 19.2.3,next - 15.5.7,next - 15.1.9,next - 16.0.7,next - 15.0.5,next - 15.2.6,next - 15.4.8,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.1.4,react-server-dom-turbopack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-webpack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Summary When Next.js rewrites proxy traffic to an external backend, a crafted "DELETE"/"OPTIONS" request using "Transfer-Encoding: chunked" could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so "content-length: 0" is added only when both "content-length" and "transfer-encoding" are absent, and "transfer-encoding" is no longer removed in that code path. Workarounds If upgrade is not immediately possible: - Block chunked "DELETE"/"OPTIONS" requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our "security guidance" (https://nextjs.org/docs/app/guides/data-security).
Publish Date: 2026-03-18
URL: CVE-2026-29057
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-18
Fix Resolution: https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js Middleware versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-08-29
URL: CVE-2025-57822
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4342-x723-ch2f
Release Date: 2025-08-29
Fix Resolution: next - 14.2.32,next - 15.4.7,https://github.com/vercel/next.js.git - v14.2.32,https://github.com/vercel/next.js.git - v15.4.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
Publish Date: 2025-08-29
URL: CVE-2025-57752
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-g5qg-72qw-gw5v
Release Date: 2025-08-29
Fix Resolution: next - 15.4.5,next - 14.2.31
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Applications that use "beforeInteractive" scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. Fix We now HTML-escape serialized "beforeInteractive" script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary. Workarounds If you cannot upgrade immediately, do not pass untrusted data into "beforeInteractive" scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.
Publish Date: 2026-05-11
URL: CVE-2026-44580
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-gx5p-jg67-6x7h
Release Date: 2026-05-11
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the "/_next/image" endpoint that match the "images.localPatterns" configuration (by default, all patterns are allowed). - If you are using "images.localPatterns", only the patterns in that array are impacted. - If you are using "images.unoptimized: true", you are NOT impacted. - If you are using "images.loader: 'custom'", you are NOT impacted. - If you are using Vercel, you are NOT impacted. Fix We now apply response size limits consistently to internal image fetches, not just external ones, and fail oversized responses before they can exhaust process memory. This can be adjusted using the "images.maximumResponseBody" configuration. Workarounds If you cannot upgrade immediately, avoid routing large local assets through "/_next/image", disable image optimization for large or untrusted local files, or block image optimization access to those assets at the edge. You can disable using the "images.localPatterns: []" configuration. This will still allow fetching remote images (which is not impacted).
Publish Date: 2026-05-11
URL: CVE-2026-44577
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h64f-5h5j-jqjh
Release Date: 2026-05-11
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
A denial of service vulnerability exists in self-hosted Next.js applications that have "remotePatterns" configured for the Image Optimizer. The image optimization endpoint ("/_next/image") loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that "remotePatterns" is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Publish Date: 2026-01-26
URL: CVE-2025-59471
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9g9p-9gw9-jx7f
Release Date: 2026-01-26
Fix Resolution: next - 15.5.10,next - 16.1.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML. Fix We now validate and interpret "RSC" request headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL. Workarounds If you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors "Vary", or disable shared caching for affected App Router and RSC responses.
Publish Date: 2026-05-11
URL: CVE-2026-44576
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wfc6-r584-vfw7
Release Date: 2026-05-11
Fix Resolution: next - 16.2.5,next - 15.5.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache ("/_next/image") did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with "images.maximumDiskCacheSize", including eviction of least-recently-used entries when the limit is exceeded. Setting "maximumDiskCacheSize: 0" disables disk caching. If upgrading is not immediately possible, periodically clean ".next/cache/images" and/or reduce variant cardinality (e.g., tighten values for "images.localPatterns", "images.remotePatterns", and "images.qualities").
Publish Date: 2026-03-18
URL: CVE-2026-27980
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-18
Fix Resolution: https://github.com/vercel/next.js.git - v16.1.7,https://github.com/vercel/next.js.git - v15.5.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Publish Date: 2025-12-11
URL: CVE-2025-55183
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Release Date: 2025-12-11
Fix Resolution: next - 15.5.7,next - 15.4.8,next - 16.0.7,next - 15.1.9,next - 15.2.6,next - 15.3.6,next - 15.0.5,react-server-dom-webpack - 19.1.4,react-server-dom-turbopack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-parcel - 19.2.3,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.0.3,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. Fix We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context. Workarounds If you cannot upgrade immediately, strip inbound "Content-Security-Policy" request headers from untrusted traffic.
Publish Date: 2026-05-11
URL: CVE-2026-44581
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-ffhc-5mcf-pf4q
Release Date: 2026-05-11
Fix Resolution: next - 15.5.16,next - 16.2.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
Publish Date: 2025-08-29
URL: CVE-2025-55173
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xv57-4mr9-wg8v
Release Date: 2025-08-29
Fix Resolution: next - 14.2.31,next - 15.4.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/.pnpm/next@15.2.4_@babel+core@7.29.0_@opentelemetry+api@1.4.1_@types+react-dom@19.2.3_@types+_e4a2a95b9677a5131988ccfed0eebd20/node_modules/next/package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: e42e9dec307fb18fa9f1bc3091ef3a4f1ebfb770
Found in base branch: main
Vulnerability Details
Impact React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the "_rsc" cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. Fix We strengthened the "_rsc" cache-busting mechanism to make practical collisions significantly harder and to better separate response variants that should not share cache entries. Workarounds If you cannot upgrade immediately, ensure intermediary caches correctly honor "Vary" for RSC-related request headers, or disable shared caching for affected RSC responses until you can deploy a patched release.
Publish Date: 2026-05-11
URL: CVE-2026-44582
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vfv6-92ff-j949
Release Date: 2026-05-11
Fix Resolution: next - 16.2.5,next - 15.5.16
Step up your Open Source Security Game with Mend here