Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/next@16.1.0-canary.19
Typenpm
Namespace
Namenext
Version16.1.0-canary.19
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version16.1.7
Latest_non_vulnerable_version16.2.3
Affected_by_vulnerabilities
0
url VCID-3m4d-v2y1-5ua4
vulnerability_id VCID-3m4d-v2y1-5ua4
summary 
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59472.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59472.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59472
reference_id
reference_type
scores
0
value 0.00086
scoring_system epss
scoring_elements 0.2486
published_at 2026-04-02T12:55:00Z
1
value 0.00089
scoring_system epss
scoring_elements 0.25343
published_at 2026-04-18T12:55:00Z
2
value 0.00089
scoring_system epss
scoring_elements 0.25543
published_at 2026-04-04T12:55:00Z
3
value 0.00089
scoring_system epss
scoring_elements 0.25315
published_at 2026-04-07T12:55:00Z
4
value 0.00089
scoring_system epss
scoring_elements 0.25383
published_at 2026-04-08T12:55:00Z
5
value 0.00089
scoring_system epss
scoring_elements 0.25428
published_at 2026-04-09T12:55:00Z
6
value 0.00089
scoring_system epss
scoring_elements 0.25439
published_at 2026-04-11T12:55:00Z
7
value 0.00089
scoring_system epss
scoring_elements 0.25398
published_at 2026-04-12T12:55:00Z
8
value 0.00089
scoring_system epss
scoring_elements 0.25344
published_at 2026-04-13T12:55:00Z
9
value 0.00089
scoring_system epss
scoring_elements 0.25352
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59472
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:52:42Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59472
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59472
5
reference_url https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433092
reference_id 2433092
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433092
7
reference_url https://github.com/advisories/GHSA-5f7q-jpqc-wp7h
reference_id GHSA-5f7q-jpqc-wp7h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5f7q-jpqc-wp7h
fixed_packages
0
url pkg:npm/next@16.1.5
purl pkg:npm/next@16.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5kj1-stm6-8qgv
1
vulnerability VCID-6rmp-13nt-2kb9
2
vulnerability VCID-7skv-ksvn-f7bu
3
vulnerability VCID-qz2s-22e2-ufg9
4
vulnerability VCID-wa6u-pkgn-cbaf
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5
aliases CVE-2025-59472, GHSA-5f7q-jpqc-wp7h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3m4d-v2y1-5ua4
1
url VCID-5kj1-stm6-8qgv
vulnerability_id VCID-5kj1-stm6-8qgv
summary 
Next.js: HTTP request smuggling in rewrites
## Summary
When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

## Impact
An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. 

## Patches
The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path.

## Workarounds
If upgrade is not immediately possible:
- Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy.
- Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29057
reference_id
reference_type
scores
0
value 0.00063
scoring_system epss
scoring_elements 0.19764
published_at 2026-04-11T12:55:00Z
1
value 0.00063
scoring_system epss
scoring_elements 0.19759
published_at 2026-04-09T12:55:00Z
2
value 0.00063
scoring_system epss
scoring_elements 0.19708
published_at 2026-04-08T12:55:00Z
3
value 0.00063
scoring_system epss
scoring_elements 0.19628
published_at 2026-04-07T12:55:00Z
4
value 0.00073
scoring_system epss
scoring_elements 0.22369
published_at 2026-04-02T12:55:00Z
5
value 0.00073
scoring_system epss
scoring_elements 0.22413
published_at 2026-04-04T12:55:00Z
6
value 0.00083
scoring_system epss
scoring_elements 0.24321
published_at 2026-04-18T12:55:00Z
7
value 0.00083
scoring_system epss
scoring_elements 0.24331
published_at 2026-04-16T12:55:00Z
8
value 0.00083
scoring_system epss
scoring_elements 0.24313
published_at 2026-04-13T12:55:00Z
9
value 0.00083
scoring_system epss
scoring_elements 0.2437
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29057
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
4
reference_url https://github.com/vercel/next.js/releases/tag/v15.5.13
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/releases/tag/v15.5.13
5
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
6
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29057
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29057
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448515
reference_id 2448515
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448515
9
reference_url https://github.com/advisories/GHSA-ggv3-7p47-pfv8
reference_id GHSA-ggv3-7p47-pfv8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ggv3-7p47-pfv8
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-29057, GHSA-ggv3-7p47-pfv8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5kj1-stm6-8qgv
2
url VCID-6rmp-13nt-2kb9
vulnerability_id VCID-6rmp-13nt-2kb9
summary 
Next.js: null origin can bypass Server Actions CSRF checks
## Summary
`origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.

## Impact
An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).

## Patches
Fixed by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`.  

## Workarounds
If upgrade is not immediately possible:
- Add CSRF tokens for sensitive Server Actions.
- Prefer `SameSite=Strict` on sensitive auth cookies.
- Do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27978.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27978.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27978
reference_id
reference_type
scores
0
value 6e-05
scoring_system epss
scoring_elements 0.00389
published_at 2026-04-04T12:55:00Z
1
value 7e-05
scoring_system epss
scoring_elements 0.00524
published_at 2026-04-16T12:55:00Z
2
value 7e-05
scoring_system epss
scoring_elements 0.00527
published_at 2026-04-13T12:55:00Z
3
value 7e-05
scoring_system epss
scoring_elements 0.00525
published_at 2026-04-12T12:55:00Z
4
value 7e-05
scoring_system epss
scoring_elements 0.00528
published_at 2026-04-11T12:55:00Z
5
value 7e-05
scoring_system epss
scoring_elements 0.00526
published_at 2026-04-09T12:55:00Z
6
value 7e-05
scoring_system epss
scoring_elements 0.00531
published_at 2026-04-08T12:55:00Z
7
value 7e-05
scoring_system epss
scoring_elements 0.00534
published_at 2026-04-07T12:55:00Z
8
value 8e-05
scoring_system epss
scoring_elements 0.00653
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27978
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:47:56Z/
url https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8
4
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:47:56Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:47:56Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27978
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27978
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448513
reference_id 2448513
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448513
8
reference_url https://github.com/advisories/GHSA-mq59-m269-xvcx
reference_id GHSA-mq59-m269-xvcx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mq59-m269-xvcx
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-27978, GHSA-mq59-m269-xvcx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6rmp-13nt-2kb9
3
url VCID-7skv-ksvn-f7bu
vulnerability_id VCID-7skv-ksvn-f7bu
summary 
Next.js: Unbounded postponed resume buffering can lead to DoS
## Summary
A request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.

## Impact
In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.

## Patches
Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded.  

## Workarounds
If upgrade is not immediately possible:
- Block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27979.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27979.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27979
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04463
published_at 2026-04-18T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.0444
published_at 2026-04-02T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.04466
published_at 2026-04-04T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.04478
published_at 2026-04-07T12:55:00Z
4
value 0.00018
scoring_system epss
scoring_elements 0.04512
published_at 2026-04-08T12:55:00Z
5
value 0.00018
scoring_system epss
scoring_elements 0.04528
published_at 2026-04-09T12:55:00Z
6
value 0.00018
scoring_system epss
scoring_elements 0.04517
published_at 2026-04-11T12:55:00Z
7
value 0.00018
scoring_system epss
scoring_elements 0.04502
published_at 2026-04-12T12:55:00Z
8
value 0.00018
scoring_system epss
scoring_elements 0.04484
published_at 2026-04-13T12:55:00Z
9
value 0.00018
scoring_system epss
scoring_elements 0.04454
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27979
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:51:23Z/
url https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1
4
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:51:23Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:51:23Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27979
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27979
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448512
reference_id 2448512
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448512
8
reference_url https://github.com/advisories/GHSA-h27x-g6w4-24gq
reference_id GHSA-h27x-g6w4-24gq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h27x-g6w4-24gq
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-27979, GHSA-h27x-g6w4-24gq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7skv-ksvn-f7bu
4
url VCID-qz2s-22e2-ufg9
vulnerability_id VCID-qz2s-22e2-ufg9
summary 
Next.js: Unbounded next/image disk cache growth can exhaust storage
## Summary
The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.

## Impact
An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

## Patches
Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. 

## Workarounds
If upgrade is not immediately possible:
- Periodically clean `.next/cache/images`.
- Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27980
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04466
published_at 2026-04-04T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.0444
published_at 2026-04-02T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.05495
published_at 2026-04-18T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.0552
published_at 2026-04-07T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.05558
published_at 2026-04-08T12:55:00Z
5
value 0.00021
scoring_system epss
scoring_elements 0.05581
published_at 2026-04-09T12:55:00Z
6
value 0.00021
scoring_system epss
scoring_elements 0.05554
published_at 2026-04-11T12:55:00Z
7
value 0.00021
scoring_system epss
scoring_elements 0.05541
published_at 2026-04-12T12:55:00Z
8
value 0.00021
scoring_system epss
scoring_elements 0.05534
published_at 2026-04-13T12:55:00Z
9
value 0.00021
scoring_system epss
scoring_elements 0.05484
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27980
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/
url https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd
4
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27980
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27980
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448509
reference_id 2448509
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448509
8
reference_url https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
reference_id GHSA-3x4c-7xq6-9pq8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-27980, GHSA-3x4c-7xq6-9pq8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qz2s-22e2-ufg9
5
url VCID-w35n-bwuy-5kce
vulnerability_id VCID-w35n-bwuy-5kce
summary 
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
references
0
reference_url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
1
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
2
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
4
reference_url https://vercel.com/changelog/summary-of-cve-2026-23864
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://vercel.com/changelog/summary-of-cve-2026-23864
5
reference_url https://github.com/advisories/GHSA-h25m-26qc-wcjf
reference_id GHSA-h25m-26qc-wcjf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h25m-26qc-wcjf
fixed_packages
0
url pkg:npm/next@16.1.5
purl pkg:npm/next@16.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5kj1-stm6-8qgv
1
vulnerability VCID-6rmp-13nt-2kb9
2
vulnerability VCID-7skv-ksvn-f7bu
3
vulnerability VCID-qz2s-22e2-ufg9
4
vulnerability VCID-wa6u-pkgn-cbaf
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5
aliases GHSA-h25m-26qc-wcjf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w35n-bwuy-5kce
6
url VCID-wa6u-pkgn-cbaf
vulnerability_id VCID-wa6u-pkgn-cbaf
summary 
Next.js: null origin can bypass dev HMR websocket CSRF checks
## Summary
In `next dev`, cross-site protections for internal development endpoints could treat `Origin: null` as a bypass case even when [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server functionality unexpectedly.

## Impact
If a developer visits attacker-controlled content while running an affected `next dev` server with [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins) configured, attacker-controlled browser code may be able to connect to internal development endpoints and interact with sensitive dev-server functionality that should have remained blocked.

This issue affects development mode only. It does not affect `next start`, and it does not expose internal debugging functionality to the network by default.

## Patches
Fixed by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins on internal development endpoints.

## Workarounds
If upgrade is not immediately possible:
- Do not expose `next dev` to untrusted networks.
- If you use [`allowedDevOrigins`](https://nextjs.org/docs/app/api-reference/config/next-config-js/allowedDevOrigins), reject requests and websocket upgrades with `Origin: null` for internal dev endpoints at your proxy.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27977.json
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27977.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27977
reference_id
reference_type
scores
0
value 6e-05
scoring_system epss
scoring_elements 0.00363
published_at 2026-04-16T12:55:00Z
1
value 6e-05
scoring_system epss
scoring_elements 0.00367
published_at 2026-04-13T12:55:00Z
2
value 6e-05
scoring_system epss
scoring_elements 0.00369
published_at 2026-04-12T12:55:00Z
3
value 6e-05
scoring_system epss
scoring_elements 0.00373
published_at 2026-04-11T12:55:00Z
4
value 6e-05
scoring_system epss
scoring_elements 0.00375
published_at 2026-04-09T12:55:00Z
5
value 6e-05
scoring_system epss
scoring_elements 0.00374
published_at 2026-04-08T12:55:00Z
6
value 6e-05
scoring_system epss
scoring_elements 0.00377
published_at 2026-04-07T12:55:00Z
7
value 6e-05
scoring_system epss
scoring_elements 0.00388
published_at 2026-04-04T12:55:00Z
8
value 7e-05
scoring_system epss
scoring_elements 0.00451
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27977
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:56:08Z/
url https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a
4
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:56:08Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:56:08Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27977
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27977
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448514
reference_id 2448514
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448514
8
reference_url https://github.com/advisories/GHSA-jcc7-9wpm-mj36
reference_id GHSA-jcc7-9wpm-mj36
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jcc7-9wpm-mj36
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-27977, GHSA-jcc7-9wpm-mj36
risk_score 1.9
exploitability 0.5
weighted_severity 3.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wa6u-pkgn-cbaf
7
url VCID-xv6q-hbf8-b7b1
vulnerability_id VCID-xv6q-hbf8-b7b1
summary 
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59471
reference_id
reference_type
scores
0
value 0.00026
scoring_system epss
scoring_elements 0.07214
published_at 2026-04-02T12:55:00Z
1
value 0.00027
scoring_system epss
scoring_elements 0.07621
published_at 2026-04-18T12:55:00Z
2
value 0.00027
scoring_system epss
scoring_elements 0.07692
published_at 2026-04-04T12:55:00Z
3
value 0.00027
scoring_system epss
scoring_elements 0.07661
published_at 2026-04-07T12:55:00Z
4
value 0.00027
scoring_system epss
scoring_elements 0.07721
published_at 2026-04-08T12:55:00Z
5
value 0.00027
scoring_system epss
scoring_elements 0.07739
published_at 2026-04-09T12:55:00Z
6
value 0.00027
scoring_system epss
scoring_elements 0.07738
published_at 2026-04-11T12:55:00Z
7
value 0.00027
scoring_system epss
scoring_elements 0.07724
published_at 2026-04-12T12:55:00Z
8
value 0.00027
scoring_system epss
scoring_elements 0.07708
published_at 2026-04-13T12:55:00Z
9
value 0.00027
scoring_system epss
scoring_elements 0.07633
published_at 2026-04-16T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59471
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
4
reference_url https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
5
reference_url https://github.com/vercel/next.js/releases/tag/v15.5.10
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/releases/tag/v15.5.10
6
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.5
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/releases/tag/v16.1.5
7
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:54:47Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59471
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59471
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433094
reference_id 2433094
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433094
10
reference_url https://github.com/advisories/GHSA-9g9p-9gw9-jx7f
reference_id GHSA-9g9p-9gw9-jx7f
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9g9p-9gw9-jx7f
fixed_packages
0
url pkg:npm/next@16.1.5
purl pkg:npm/next@16.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5kj1-stm6-8qgv
1
vulnerability VCID-6rmp-13nt-2kb9
2
vulnerability VCID-7skv-ksvn-f7bu
3
vulnerability VCID-qz2s-22e2-ufg9
4
vulnerability VCID-wa6u-pkgn-cbaf
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5
aliases CVE-2025-59471, GHSA-9g9p-9gw9-jx7f
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xv6q-hbf8-b7b1
Fixing_vulnerabilities
0
url VCID-fpzm-tpp7-jbft
vulnerability_id VCID-fpzm-tpp7-jbft
summary 
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types.  As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
1
reference_url https://nextjs.org/blog/security-update-2025-12-11
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nextjs.org/blog/security-update-2025-12-11
2
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
3
reference_url https://www.cve.org/CVERecord?id=CVE-2025-55184
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cve.org/CVERecord?id=CVE-2025-55184
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-67779
reference_id CVE-2025-67779
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-67779
5
reference_url https://www.facebook.com/security/advisories/cve-2025-67779
reference_id CVE-2025-67779
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.facebook.com/security/advisories/cve-2025-67779
6
reference_url https://github.com/advisories/GHSA-5j59-xgg2-r9c4
reference_id GHSA-5j59-xgg2-r9c4
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5j59-xgg2-r9c4
7
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4
reference_id GHSA-5j59-xgg2-r9c4
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4
fixed_packages
0
url pkg:npm/next@14.2.35
purl pkg:npm/next@14.2.35
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5kj1-stm6-8qgv
1
vulnerability VCID-qz2s-22e2-ufg9
2
vulnerability VCID-w35n-bwuy-5kce
3
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.35
1
url pkg:npm/next@15.0.7
purl pkg:npm/next@15.0.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m4d-v2y1-5ua4
1
vulnerability VCID-5kj1-stm6-8qgv
2
vulnerability VCID-qz2s-22e2-ufg9
3
vulnerability VCID-w35n-bwuy-5kce
4
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.7
2
url pkg:npm/next@15.1.11
purl pkg:npm/next@15.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m4d-v2y1-5ua4
1
vulnerability VCID-5kj1-stm6-8qgv
2
vulnerability VCID-qz2s-22e2-ufg9
3
vulnerability VCID-w35n-bwuy-5kce
4
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.11
3
url pkg:npm/next@15.2.8
purl pkg:npm/next@15.2.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m4d-v2y1-5ua4
1
vulnerability VCID-5kj1-stm6-8qgv
2
vulnerability VCID-qz2s-22e2-ufg9
3
vulnerability VCID-w35n-bwuy-5kce
4
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.8
4
url pkg:npm/next@15.3.8
purl pkg:npm/next@15.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m4d-v2y1-5ua4
1
vulnerability VCID-5kj1-stm6-8qgv
2
vulnerability VCID-qz2s-22e2-ufg9
3
vulnerability VCID-w35n-bwuy-5kce
4
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.8
5
url pkg:npm/next@15.4.10
purl pkg:npm/next@15.4.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m4d-v2y1-5ua4
1
vulnerability VCID-5kj1-stm6-8qgv
2
vulnerability VCID-qz2s-22e2-ufg9
3
vulnerability VCID-w35n-bwuy-5kce
4
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.10
6
url pkg:npm/next@15.5.9
purl pkg:npm/next@15.5.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m4d-v2y1-5ua4
1
vulnerability VCID-5kj1-stm6-8qgv
2
vulnerability VCID-qz2s-22e2-ufg9
3
vulnerability VCID-w35n-bwuy-5kce
4
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.9
7
url pkg:npm/next@15.6.0-canary.60
purl pkg:npm/next@15.6.0-canary.60
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m4d-v2y1-5ua4
1
vulnerability VCID-w35n-bwuy-5kce
2
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.60
8
url pkg:npm/next@16.0.10
purl pkg:npm/next@16.0.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m4d-v2y1-5ua4
1
vulnerability VCID-5kj1-stm6-8qgv
2
vulnerability VCID-6rmp-13nt-2kb9
3
vulnerability VCID-7skv-ksvn-f7bu
4
vulnerability VCID-qz2s-22e2-ufg9
5
vulnerability VCID-w35n-bwuy-5kce
6
vulnerability VCID-wa6u-pkgn-cbaf
7
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.10
9
url pkg:npm/next@16.1.0-canary.19
purl pkg:npm/next@16.1.0-canary.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3m4d-v2y1-5ua4
1
vulnerability VCID-5kj1-stm6-8qgv
2
vulnerability VCID-6rmp-13nt-2kb9
3
vulnerability VCID-7skv-ksvn-f7bu
4
vulnerability VCID-qz2s-22e2-ufg9
5
vulnerability VCID-w35n-bwuy-5kce
6
vulnerability VCID-wa6u-pkgn-cbaf
7
vulnerability VCID-xv6q-hbf8-b7b1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.19
aliases GHSA-5j59-xgg2-r9c4
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fpzm-tpp7-jbft
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.19