Search for packages
| purl | pkg:npm/next@3.0.0-beta5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3z94-57r1-t3cq
Aliases: CVE-2020-5284 GHSA-fq77-7p7r-83rj |
Directory Traversal in Next.js |
Affected by 5 other vulnerabilities. |
|
VCID-7j2z-1rcx-5kbw
Aliases: GHSA-5vj8-3v2h-h38v GMS-2020-750 |
Remote Code Execution in next |
Affected by 6 other vulnerabilities. |
|
VCID-k79u-6118-zyag
Aliases: CVE-2023-46298 GHSA-c59h-r6p8-q9wc |
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. |
Affected by 28 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-p7a7-ehjr-xqf3
Aliases: CVE-2025-57752 GHSA-g5qg-72qw-gw5v |
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. |
Affected by 17 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-t6n1-e9kc-hqgx
Aliases: CVE-2025-57822 GHSA-4342-x723-ch2f |
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function. |
Affected by 16 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-wdsq-y8uf-2feh
Aliases: CVE-2025-55173 GHSA-xv57-4mr9-wg8v |
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. |
Affected by 17 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-xz2s-8drg-8bam
Aliases: CVE-2025-32421 GHSA-qpjv-v59x-3qc4 |
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers. |
Affected by 21 other vulnerabilities. Affected by 24 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||