Search for packages
| purl | pkg:npm/next@12.1.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-471k-npa7-wqhx
Aliases: CVE-2025-55173 GHSA-xv57-4mr9-wg8v |
Next.js Content Injection Vulnerability for Image Optimization A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173) |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-4wd3-rj51-ykdx
Aliases: CVE-2024-51479 GHSA-7gfc-8cq8-jh5f |
Next.js authorization bypass vulnerability If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed. |
Affected by 14 other vulnerabilities. |
|
VCID-5c7e-4dkw-63fg
Aliases: CVE-2025-57822 GHSA-4342-x723-ch2f |
Next.js Improper Middleware Redirect Handling Leads to SSRF A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822) |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-753e-dm2r-sybh
Aliases: CVE-2026-27980 GHSA-3x4c-7xq6-9pq8 |
next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage |
Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-cqhe-wty9-5qec
Aliases: CVE-2025-57752 GHSA-g5qg-72qw-gw5v |
Next.js Affected by Cache Key Confusion for Image Optimization API Routes A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752) |
Affected by 8 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-dwdu-j3tf-tyav
Aliases: CVE-2025-29927 GHSA-f82v-jwr5-mffw |
Authorization Bypass in Next.js Middleware It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. |
Affected by 8 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-ffry-2c7p-vyhp
Aliases: CVE-2026-29057 GHSA-ggv3-7p47-pfv8 |
next.js: Next.js: HTTP request smuggling in rewrites |
Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-gw2b-uwg6-sba6
Aliases: CVE-2023-46298 GHSA-c59h-r6p8-q9wc |
Next.js missing cache-control header may lead to CDN caching empty reply Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. |
Affected by 20 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-qkfv-k941-7uh9
Aliases: CVE-2025-32421 GHSA-qpjv-v59x-3qc4 |
Next.js Race Condition to Cache Poisoning **Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. [Learn more here](https://vercel.com/changelog/cve-2025-32421) **Credit** Thank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program. |
Affected by 12 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-vqxd-ebjg-c3cw
Aliases: CVE-2025-59471 GHSA-9g9p-9gw9-jx7f |
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications. |
Affected by 3 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-wb5m-12ur-rqhh
Aliases: CVE-2024-47831 GHSA-g77x-44xx-532m |
Denial of Service condition in Next.js image optimization The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. **Not affected:** - The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value. - The Next.js application is hosted on Vercel. |
Affected by 16 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||