next
npm37 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting nextpage 1 of 1
- CVE-2017-16877HIGHCVSS 7.5EG 7.5✓ Fixed in 2.4.12017-11-17
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information.
- CVE-2018-18282MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.0.22018-10-12
Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page.
- CVE-2018-6184HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.32018-01-24
ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace.
- CVE-2020-15242MEDIUMCVSS 4.7EG 4.7✓ Fixed in 9.5.42020-10-08
Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not direc…
- CVE-2020-5284MEDIUMCVSS 4.4EG 4.4✓ Fixed in 9.3.22020-03-30
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the…
- CVE-2021-37699MEDIUMCVSS 6.9EG 6.9✓ Fixed in 11.1.02021-08-12
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an ex…
- CVE-2021-39178HIGHCVSS 7.5EG 7.5✓ Fixed in 11.1.12021-08-31
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` ar…
- CVE-2021-43803HIGHCVSS 7.5EG 7.5✓ Fixed in 11.1.32021-12-10
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below …
- CVE-2022-21721MEDIUMCVSS 5.9EG 5.9✓ Fixed in 12.0.92022-01-28
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE,…
- CVE-2022-23646MEDIUMCVSS 5.9EG 5.9✓ Fixed in 12.1.02022-02-17
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an…
- CVE-2022-36046MEDIUMCVSS 5.3EG 5.3✓ Fixed in 12.2.42022-08-31
vulnerable: 12.2.3
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandled…
- CVE-2023-46298HIGHCVSS 7.5EG 7.5✓ Fixed in 13.4.20-canary.132023-10-22
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.
- CVE-2024-34350HIGHCVSS 7.5EG 7.5✓ Fixed in 13.5.12024-05-14
Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate …
- CVE-2024-34351HIGHCVSS 7.5EG 9.0✓ Fixed in 14.1.12024-05-14
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditio…
- CVE-2024-39693HIGHCVSS 7.5EG 7.5✓ Fixed in 13.5.02024-07-10
Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later.
- CVE-2024-46982HIGHCVSS 7.5EG 7.5✓ Fixed in 14.2.102024-09-17
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app rout…
- CVE-2024-47831MEDIUMCVSS 5.9EG 5.9✓ Fixed in 14.2.72024-10-14
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condit…
- CVE-2024-51479HIGHCVSS 7.5EG 7.5✓ Fixed in 14.2.152024-12-17
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pag…
- CVE-2025-29927CRITICALCVSS 9.1EG 9.1✓ Fixed in 13.5.92025-03-21
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the…
- CVE-2025-32421LOWCVSS 3.7EG 3.7✓ Fixed in 14.2.242025-05-14
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpo…
- CVE-2025-48068MEDIUMCVSS 4.3EG 4.3✓ Fixed in 15.2.22025-05-30
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with…
- CVE-2025-49005LOWCVSS 3.7EG 3.7✓ Fixed in 15.3.32025-07-03
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for …
- CVE-2025-49826HIGHCVSS 7.5EG 7.5✓ Fixed in 15.1.82025-07-03
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact c…
- CVE-2025-57752MEDIUMCVSS 6.2EG 6.2✓ Fixed in 14.2.312025-08-29
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API ro…
- CVE-2025-57822MEDIUMCVSS 6.5EG 6.5✓ Fixed in 14.2.322025-08-29
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorre…
- CVE-2026-44572LOWCVSS 3.7EG 3.7✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redire…
- CVE-2026-44573HIGHCVSS 7.5EG 7.5✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized acces…
- CVE-2026-44574HIGHCVSS 8.1EG 8.1✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployme…
- CVE-2026-44575HIGHCVSS 7.5EG 7.5✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through …
- CVE-2026-44576MEDIUMCVSS 5.4EG 5.4✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition …
- CVE-2026-44577MEDIUMCVSS 5.9EG 5.9✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory …
- CVE-2026-44578HIGHCVSS 8.6EG 8.6✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted W…
- CVE-2026-44579HIGHCVSS 7.5EG 7.5✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through craf…
- CVE-2026-44580MEDIUMCVSS 6.1EG 6.1✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In …
- CVE-2026-44581MEDIUMCVSS 4.7EG 4.7✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared c…
- CVE-2026-44582LOWCVSS 3.7EG 3.7✓ Fixed in 16.2.52026-05-13
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insuffici…
- CVE-2026-45109HIGHCVSS 7.5EG 7.5✓ Fixed in 16.2.62026-05-13
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed…
Check whether next is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for next CVEs against the assets you own.
Start Free Scan →