Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/next@15.6.0-canary.18
Typenpm
Namespace
Namenext
Version15.6.0-canary.18
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version16.2.6
Latest_non_vulnerable_version16.2.6
Affected_by_vulnerabilities
0
url VCID-29qk-jgck-2kb2
vulnerability_id VCID-29qk-jgck-2kb2
summary 
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59471
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.13005
published_at 2026-06-14T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.13027
published_at 2026-06-13T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12923
published_at 2026-06-11T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.13017
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59471
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
4
reference_url https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
5
reference_url https://github.com/vercel/next.js/releases/tag/v15.5.10
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/releases/tag/v15.5.10
6
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.5
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/releases/tag/v16.1.5
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433094
reference_id 2433094
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433094
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59471
reference_id CVE-2025-59471
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59471
9
reference_url https://github.com/advisories/GHSA-9g9p-9gw9-jx7f
reference_id GHSA-9g9p-9gw9-jx7f
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9g9p-9gw9-jx7f
10
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
reference_id GHSA-9g9p-9gw9-jx7f
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:54:47Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
fixed_packages
0
url pkg:npm/next@16.1.5
purl pkg:npm/next@16.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2wxy-d9mx-u7du
1
vulnerability VCID-4kgz-73xy-xyb2
2
vulnerability VCID-51r9-nmc2-tyc7
3
vulnerability VCID-5ehn-67ys-73h1
4
vulnerability VCID-6r5c-d48p-9qa4
5
vulnerability VCID-93c9-up9w-5fdv
6
vulnerability VCID-9r3b-phvp-xfck
7
vulnerability VCID-b2hu-vcgt-7ydr
8
vulnerability VCID-bjvd-79eg-17f3
9
vulnerability VCID-chsk-ka34-yqaf
10
vulnerability VCID-gh18-cr6c-47hm
11
vulnerability VCID-haxf-nay6-v3hg
12
vulnerability VCID-qptg-e7c6-puhs
13
vulnerability VCID-uqrk-gg9y-5bfz
14
vulnerability VCID-w4pk-pmxb-c7fr
15
vulnerability VCID-wgv6-ermy-yycy
16
vulnerability VCID-xzrf-tsxp-hqeg
17
vulnerability VCID-yddv-cunp-yyd7
18
vulnerability VCID-zrny-u44x-3fh1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5
aliases CVE-2025-59471, GHSA-9g9p-9gw9-jx7f
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-29qk-jgck-2kb2
1
url VCID-51mc-n64v-nugj
vulnerability_id VCID-51mc-n64v-nugj
summary Next Server Actions Source Code Exposure
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
1
reference_url https://nextjs.org/blog/security-update-2025-12-11
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nextjs.org/blog/security-update-2025-12-11
2
reference_url https://www.cve.org/CVERecord?id=CVE-2025-55183
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.cve.org/CVERecord?id=CVE-2025-55183
3
reference_url https://github.com/advisories/GHSA-w37m-7fhw-fmv9
reference_id GHSA-w37m-7fhw-fmv9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w37m-7fhw-fmv9
4
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9
reference_id GHSA-w37m-7fhw-fmv9
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9
fixed_packages
0
url pkg:npm/next@15.6.0-canary.59
purl pkg:npm/next@15.6.0-canary.59
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-29qk-jgck-2kb2
1
vulnerability VCID-c9sc-ajq2-pyda
2
vulnerability VCID-v7dq-7t8n-j7b5
3
vulnerability VCID-zuh1-7568-nbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.59
1
url pkg:npm/next@16.0.9
purl pkg:npm/next@16.0.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-29qk-jgck-2kb2
1
vulnerability VCID-2wxy-d9mx-u7du
2
vulnerability VCID-4kgz-73xy-xyb2
3
vulnerability VCID-51r9-nmc2-tyc7
4
vulnerability VCID-5ehn-67ys-73h1
5
vulnerability VCID-6r5c-d48p-9qa4
6
vulnerability VCID-93c9-up9w-5fdv
7
vulnerability VCID-9r3b-phvp-xfck
8
vulnerability VCID-b2hu-vcgt-7ydr
9
vulnerability VCID-bjvd-79eg-17f3
10
vulnerability VCID-c9sc-ajq2-pyda
11
vulnerability VCID-chsk-ka34-yqaf
12
vulnerability VCID-gh18-cr6c-47hm
13
vulnerability VCID-haxf-nay6-v3hg
14
vulnerability VCID-qptg-e7c6-puhs
15
vulnerability VCID-uqrk-gg9y-5bfz
16
vulnerability VCID-v7dq-7t8n-j7b5
17
vulnerability VCID-w4pk-pmxb-c7fr
18
vulnerability VCID-wgv6-ermy-yycy
19
vulnerability VCID-xzrf-tsxp-hqeg
20
vulnerability VCID-yddv-cunp-yyd7
21
vulnerability VCID-zrny-u44x-3fh1
22
vulnerability VCID-zuh1-7568-nbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9
2
url pkg:npm/next@16.1.0-canary.17
purl pkg:npm/next@16.1.0-canary.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-29qk-jgck-2kb2
1
vulnerability VCID-2wxy-d9mx-u7du
2
vulnerability VCID-4kgz-73xy-xyb2
3
vulnerability VCID-51r9-nmc2-tyc7
4
vulnerability VCID-5ehn-67ys-73h1
5
vulnerability VCID-6r5c-d48p-9qa4
6
vulnerability VCID-93c9-up9w-5fdv
7
vulnerability VCID-9r3b-phvp-xfck
8
vulnerability VCID-b2hu-vcgt-7ydr
9
vulnerability VCID-bjvd-79eg-17f3
10
vulnerability VCID-c9sc-ajq2-pyda
11
vulnerability VCID-chsk-ka34-yqaf
12
vulnerability VCID-gh18-cr6c-47hm
13
vulnerability VCID-haxf-nay6-v3hg
14
vulnerability VCID-qptg-e7c6-puhs
15
vulnerability VCID-uqrk-gg9y-5bfz
16
vulnerability VCID-v7dq-7t8n-j7b5
17
vulnerability VCID-w4pk-pmxb-c7fr
18
vulnerability VCID-wgv6-ermy-yycy
19
vulnerability VCID-xzrf-tsxp-hqeg
20
vulnerability VCID-yddv-cunp-yyd7
21
vulnerability VCID-zrny-u44x-3fh1
22
vulnerability VCID-zuh1-7568-nbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17
aliases GHSA-w37m-7fhw-fmv9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-51mc-n64v-nugj
2
url VCID-c9sc-ajq2-pyda
vulnerability_id VCID-c9sc-ajq2-pyda
summary Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
1
reference_url https://vercel.com/changelog/summary-of-cve-2026-23864
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://vercel.com/changelog/summary-of-cve-2026-23864
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
reference_id CVE-2026-23864
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
3
reference_url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
reference_id GHSA-83fc-fqcc-2hmg
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
4
reference_url https://github.com/advisories/GHSA-h25m-26qc-wcjf
reference_id GHSA-h25m-26qc-wcjf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h25m-26qc-wcjf
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf
reference_id GHSA-h25m-26qc-wcjf
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf
fixed_packages
0
url pkg:npm/next@15.6.0-canary.61
purl pkg:npm/next@15.6.0-canary.61
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-29qk-jgck-2kb2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.61
1
url pkg:npm/next@16.0.11
purl pkg:npm/next@16.0.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-29qk-jgck-2kb2
1
vulnerability VCID-2wxy-d9mx-u7du
2
vulnerability VCID-4kgz-73xy-xyb2
3
vulnerability VCID-51r9-nmc2-tyc7
4
vulnerability VCID-5ehn-67ys-73h1
5
vulnerability VCID-6r5c-d48p-9qa4
6
vulnerability VCID-93c9-up9w-5fdv
7
vulnerability VCID-9r3b-phvp-xfck
8
vulnerability VCID-b2hu-vcgt-7ydr
9
vulnerability VCID-bjvd-79eg-17f3
10
vulnerability VCID-chsk-ka34-yqaf
11
vulnerability VCID-gh18-cr6c-47hm
12
vulnerability VCID-haxf-nay6-v3hg
13
vulnerability VCID-qptg-e7c6-puhs
14
vulnerability VCID-uqrk-gg9y-5bfz
15
vulnerability VCID-v7dq-7t8n-j7b5
16
vulnerability VCID-w4pk-pmxb-c7fr
17
vulnerability VCID-wgv6-ermy-yycy
18
vulnerability VCID-xzrf-tsxp-hqeg
19
vulnerability VCID-yddv-cunp-yyd7
20
vulnerability VCID-zrny-u44x-3fh1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.11
2
url pkg:npm/next@16.1.5
purl pkg:npm/next@16.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2wxy-d9mx-u7du
1
vulnerability VCID-4kgz-73xy-xyb2
2
vulnerability VCID-51r9-nmc2-tyc7
3
vulnerability VCID-5ehn-67ys-73h1
4
vulnerability VCID-6r5c-d48p-9qa4
5
vulnerability VCID-93c9-up9w-5fdv
6
vulnerability VCID-9r3b-phvp-xfck
7
vulnerability VCID-b2hu-vcgt-7ydr
8
vulnerability VCID-bjvd-79eg-17f3
9
vulnerability VCID-chsk-ka34-yqaf
10
vulnerability VCID-gh18-cr6c-47hm
11
vulnerability VCID-haxf-nay6-v3hg
12
vulnerability VCID-qptg-e7c6-puhs
13
vulnerability VCID-uqrk-gg9y-5bfz
14
vulnerability VCID-w4pk-pmxb-c7fr
15
vulnerability VCID-wgv6-ermy-yycy
16
vulnerability VCID-xzrf-tsxp-hqeg
17
vulnerability VCID-yddv-cunp-yyd7
18
vulnerability VCID-zrny-u44x-3fh1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5
aliases GHSA-h25m-26qc-wcjf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c9sc-ajq2-pyda
3
url VCID-gm62-hv3y-v7b8
vulnerability_id VCID-gm62-hv3y-v7b8
summary Next Vulnerable to Denial of Service with Server Components
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
1
reference_url https://nextjs.org/blog/security-update-2025-12-11
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nextjs.org/blog/security-update-2025-12-11
2
reference_url https://www.cve.org/CVERecord?id=CVE-2025-55184
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cve.org/CVERecord?id=CVE-2025-55184
3
reference_url https://github.com/advisories/GHSA-mwv6-3258-q52c
reference_id GHSA-mwv6-3258-q52c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mwv6-3258-q52c
4
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
reference_id GHSA-mwv6-3258-q52c
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
fixed_packages
0
url pkg:npm/next@15.6.0-canary.59
purl pkg:npm/next@15.6.0-canary.59
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-29qk-jgck-2kb2
1
vulnerability VCID-c9sc-ajq2-pyda
2
vulnerability VCID-v7dq-7t8n-j7b5
3
vulnerability VCID-zuh1-7568-nbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.59
1
url pkg:npm/next@16.0.9
purl pkg:npm/next@16.0.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-29qk-jgck-2kb2
1
vulnerability VCID-2wxy-d9mx-u7du
2
vulnerability VCID-4kgz-73xy-xyb2
3
vulnerability VCID-51r9-nmc2-tyc7
4
vulnerability VCID-5ehn-67ys-73h1
5
vulnerability VCID-6r5c-d48p-9qa4
6
vulnerability VCID-93c9-up9w-5fdv
7
vulnerability VCID-9r3b-phvp-xfck
8
vulnerability VCID-b2hu-vcgt-7ydr
9
vulnerability VCID-bjvd-79eg-17f3
10
vulnerability VCID-c9sc-ajq2-pyda
11
vulnerability VCID-chsk-ka34-yqaf
12
vulnerability VCID-gh18-cr6c-47hm
13
vulnerability VCID-haxf-nay6-v3hg
14
vulnerability VCID-qptg-e7c6-puhs
15
vulnerability VCID-uqrk-gg9y-5bfz
16
vulnerability VCID-v7dq-7t8n-j7b5
17
vulnerability VCID-w4pk-pmxb-c7fr
18
vulnerability VCID-wgv6-ermy-yycy
19
vulnerability VCID-xzrf-tsxp-hqeg
20
vulnerability VCID-yddv-cunp-yyd7
21
vulnerability VCID-zrny-u44x-3fh1
22
vulnerability VCID-zuh1-7568-nbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9
2
url pkg:npm/next@16.1.0-canary.17
purl pkg:npm/next@16.1.0-canary.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-29qk-jgck-2kb2
1
vulnerability VCID-2wxy-d9mx-u7du
2
vulnerability VCID-4kgz-73xy-xyb2
3
vulnerability VCID-51r9-nmc2-tyc7
4
vulnerability VCID-5ehn-67ys-73h1
5
vulnerability VCID-6r5c-d48p-9qa4
6
vulnerability VCID-93c9-up9w-5fdv
7
vulnerability VCID-9r3b-phvp-xfck
8
vulnerability VCID-b2hu-vcgt-7ydr
9
vulnerability VCID-bjvd-79eg-17f3
10
vulnerability VCID-c9sc-ajq2-pyda
11
vulnerability VCID-chsk-ka34-yqaf
12
vulnerability VCID-gh18-cr6c-47hm
13
vulnerability VCID-haxf-nay6-v3hg
14
vulnerability VCID-qptg-e7c6-puhs
15
vulnerability VCID-uqrk-gg9y-5bfz
16
vulnerability VCID-v7dq-7t8n-j7b5
17
vulnerability VCID-w4pk-pmxb-c7fr
18
vulnerability VCID-wgv6-ermy-yycy
19
vulnerability VCID-xzrf-tsxp-hqeg
20
vulnerability VCID-yddv-cunp-yyd7
21
vulnerability VCID-zrny-u44x-3fh1
22
vulnerability VCID-zuh1-7568-nbg3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17
aliases GHSA-mwv6-3258-q52c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gm62-hv3y-v7b8
4
url VCID-v7dq-7t8n-j7b5
vulnerability_id VCID-v7dq-7t8n-j7b5
summary 
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59472.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59472.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59472
reference_id
reference_type
scores
0
value 0.0015
scoring_system epss
scoring_elements 0.35484
published_at 2026-06-14T12:55:00Z
1
value 0.0015
scoring_system epss
scoring_elements 0.35501
published_at 2026-06-13T12:55:00Z
2
value 0.0015
scoring_system epss
scoring_elements 0.35299
published_at 2026-06-11T12:55:00Z
3
value 0.0015
scoring_system epss
scoring_elements 0.35478
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59472
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433092
reference_id 2433092
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433092
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59472
reference_id CVE-2025-59472
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59472
6
reference_url https://github.com/advisories/GHSA-5f7q-jpqc-wp7h
reference_id GHSA-5f7q-jpqc-wp7h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5f7q-jpqc-wp7h
7
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
reference_id GHSA-5f7q-jpqc-wp7h
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:52:42Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
fixed_packages
0
url pkg:npm/next@15.6.0-canary.61
purl pkg:npm/next@15.6.0-canary.61
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-29qk-jgck-2kb2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.61
1
url pkg:npm/next@16.1.5
purl pkg:npm/next@16.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2wxy-d9mx-u7du
1
vulnerability VCID-4kgz-73xy-xyb2
2
vulnerability VCID-51r9-nmc2-tyc7
3
vulnerability VCID-5ehn-67ys-73h1
4
vulnerability VCID-6r5c-d48p-9qa4
5
vulnerability VCID-93c9-up9w-5fdv
6
vulnerability VCID-9r3b-phvp-xfck
7
vulnerability VCID-b2hu-vcgt-7ydr
8
vulnerability VCID-bjvd-79eg-17f3
9
vulnerability VCID-chsk-ka34-yqaf
10
vulnerability VCID-gh18-cr6c-47hm
11
vulnerability VCID-haxf-nay6-v3hg
12
vulnerability VCID-qptg-e7c6-puhs
13
vulnerability VCID-uqrk-gg9y-5bfz
14
vulnerability VCID-w4pk-pmxb-c7fr
15
vulnerability VCID-wgv6-ermy-yycy
16
vulnerability VCID-xzrf-tsxp-hqeg
17
vulnerability VCID-yddv-cunp-yyd7
18
vulnerability VCID-zrny-u44x-3fh1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5
aliases CVE-2025-59472, GHSA-5f7q-jpqc-wp7h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v7dq-7t8n-j7b5
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.18