Search for packages
| purl | pkg:npm/next@11.1.3-canary.33 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-54qu-9bx2-9ka8
Aliases: CVE-2025-57822 GHSA-4342-x723-ch2f |
Next.js Improper Middleware Redirect Handling Leads to SSRF A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822) |
Affected by 6 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-5kj1-stm6-8qgv
Aliases: CVE-2026-29057 GHSA-ggv3-7p47-pfv8 |
Next.js: HTTP request smuggling in rewrites ## Summary When Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. ## Impact An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. ## Patches The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. ## Workarounds If upgrade is not immediately possible: - Block chunked `DELETE`/`OPTIONS` requests on rewritten routes at your edge/proxy. - Enforce authentication/authorization on backend routes per our [security guidance](https://nextjs.org/docs/app/guides/data-security). |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-fwnm-krm1-6kh6
Aliases: CVE-2024-47831 GHSA-g77x-44xx-532m |
Denial of Service condition in Next.js image optimization ### Impact The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. **Not affected:** - The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value. - The Next.js application is hosted on Vercel. ### Patches This issue was fully patched in Next.js `14.2.7`. We recommend that users upgrade to at least this version. ### Workarounds Ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned. #### Credits Brandon Dahler (brandondahler), AWS Dimitrios Vlastaras |
Affected by 15 other vulnerabilities. |
|
VCID-n7z1-rgg3-zbbb
Aliases: CVE-2022-23646 GHSA-fmvm-x8mv-47mj |
Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default. |
Affected by 11 other vulnerabilities. |
|
VCID-pqzm-ped7-vkff
Aliases: CVE-2021-43803 GHSA-25mp-g6fv-mqxx |
Improper Input Validation Next handling invalid or malformed URLs could lead to a server crash. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. |
Affected by 11 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-qz2s-22e2-ufg9
Aliases: CVE-2026-27980 GHSA-3x4c-7xq6-9pq8 |
Next.js: Unbounded next/image disk cache growth can exhaust storage ## Summary The default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. ## Impact An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel. ## Patches Fixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. ## Workarounds If upgrade is not immediately possible: - Periodically clean `.next/cache/images`. - Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`) |
Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r4pw-m8mz-xbdq
Aliases: CVE-2025-57752 GHSA-g5qg-72qw-gw5v |
Next.js Affected by Cache Key Confusion for Image Optimization API Routes A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752) |
Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-rx4e-7jj2-9udg
Aliases: CVE-2023-46298 GHSA-c59h-r6p8-q9wc |
Next.js missing cache-control header may lead to CDN caching empty reply Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. |
Affected by 19 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-sjdx-v2z6-3fcw
Aliases: CVE-2025-55173 GHSA-xv57-4mr9-wg8v |
Next.js Content Injection Vulnerability for Image Optimization A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173) |
Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-ukfu-ane3-vfch
Aliases: CVE-2024-51479 GHSA-7gfc-8cq8-jh5f |
Next.js authorization bypass vulnerability ### Impact If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed. ### Patches This issue was patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. ### Workarounds There are no official workarounds for this vulnerability. #### Credits We'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity by IERAE) for responsible disclosure of this issue. |
Affected by 13 other vulnerabilities. |
|
VCID-vwym-qr5h-fue8
Aliases: CVE-2025-32421 GHSA-qpjv-v59x-3qc4 |
Next.js Race Condition to Cache Poisoning **Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. [Learn more here](https://vercel.com/changelog/cve-2025-32421) **Credit** Thank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program. |
Affected by 11 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-xv6q-hbf8-b7b1
Aliases: CVE-2025-59471 GHSA-9g9p-9gw9-jx7f |
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications. |
Affected by 3 other vulnerabilities. Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||