{"url":"http://public2.vulnerablecode.io/api/packages/214501?format=json","purl":"pkg:npm/next@2.0.0-beta.21","type":"npm","namespace":"","name":"next","version":"2.0.0-beta.21","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"15.5.15","latest_non_vulnerable_version":"16.2.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58033?format=json","vulnerability_id":"VCID-471k-npa7-wqhx","summary":"Next.js Content Injection Vulnerability for Image Optimization\nA vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.\n\nAll users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55173","reference_id":"","reference_type":"","scores":[{"value":"0.00687","scoring_system":"epss","scoring_elements":"0.72156","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00687","scoring_system":"epss","scoring_elements":"0.72159","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00687","scoring_system":"epss","scoring_elements":"0.72165","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00687","scoring_system":"epss","scoring_elements":"0.72144","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00687","scoring_system":"epss","scoring_elements":"0.72131","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55173"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/"}],"url":"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd"},{"reference_url":"http://vercel.com/changelog/cve-2025-55173","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://vercel.com/changelog/cve-2025-55173"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2392059","reference_id":"2392059","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2392059"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55173","reference_id":"CVE-2025-55173","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55173"},{"reference_url":"https://vercel.com/changelog/cve-2025-55173","reference_id":"CVE-2025-55173","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/"}],"url":"https://vercel.com/changelog/cve-2025-55173"},{"reference_url":"https://github.com/advisories/GHSA-xv57-4mr9-wg8v","reference_id":"GHSA-xv57-4mr9-wg8v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xv57-4mr9-wg8v"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v","reference_id":"GHSA-xv57-4mr9-wg8v","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86332?format=json","purl":"pkg:npm/next@14.2.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38m6-9vq5-a7a7"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31"},{"url":"http://public2.vulnerablecode.io/api/packages/86333?format=json","purl":"pkg:npm/next@15.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q2t-61xt-u3ax"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-k1q6-b8t3-hqb6"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5"}],"aliases":["CVE-2025-55173","GHSA-xv57-4mr9-wg8v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-471k-npa7-wqhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58037?format=json","vulnerability_id":"VCID-5c7e-4dkw-63fg","summary":"Next.js Improper Middleware Redirect Handling Leads to SSRF\nA vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.\n\nAll users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57822","reference_id":"","reference_type":"","scores":[{"value":"0.07815","scoring_system":"epss","scoring_elements":"0.92148","published_at":"2026-06-09T12:55:00Z"},{"value":"0.07815","scoring_system":"epss","scoring_elements":"0.92134","published_at":"2026-06-08T12:55:00Z"},{"value":"0.07815","scoring_system":"epss","scoring_elements":"0.92135","published_at":"2026-06-06T12:55:00Z"},{"value":"0.07815","scoring_system":"epss","scoring_elements":"0.92137","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57822"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/"}],"url":"https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57822","reference_id":"CVE-2025-57822","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57822"},{"reference_url":"https://vercel.com/changelog/cve-2025-57822","reference_id":"CVE-2025-57822","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/"}],"url":"https://vercel.com/changelog/cve-2025-57822"},{"reference_url":"https://github.com/advisories/GHSA-4342-x723-ch2f","reference_id":"GHSA-4342-x723-ch2f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4342-x723-ch2f"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f","reference_id":"GHSA-4342-x723-ch2f","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86341?format=json","purl":"pkg:npm/next@14.2.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38m6-9vq5-a7a7"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.32"},{"url":"http://public2.vulnerablecode.io/api/packages/86342?format=json","purl":"pkg:npm/next@15.4.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q2t-61xt-u3ax"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-k1q6-b8t3-hqb6"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.7"}],"aliases":["CVE-2025-57822","GHSA-4342-x723-ch2f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5c7e-4dkw-63fg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53503?format=json","vulnerability_id":"VCID-92d9-g7rt-jqc4","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in next.","references":[{"reference_url":"https://github.com/masasron/vulnerability-research/tree/master/CVE-2018-6184/LFI","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/masasron/vulnerability-research/tree/master/CVE-2018-6184/LFI"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://www.npmjs.com/advisories/1538","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1538"},{"reference_url":"https://github.com/advisories/GHSA-5vj8-3v2h-h38v","reference_id":"GHSA-5vj8-3v2h-h38v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vj8-3v2h-h38v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78556?format=json","purl":"pkg:npm/next@5.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-9gek-11vr-pfbw"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-gw2b-uwg6-sba6"},{"vulnerability":"VCID-qkfv-k941-7uh9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@5.1.0"}],"aliases":["GHSA-5vj8-3v2h-h38v","GMS-2020-750"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-92d9-g7rt-jqc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52437?format=json","vulnerability_id":"VCID-9gek-11vr-pfbw","summary":"Directory Traversal in Next.js\n- **Not affected**: Deployments on ZEIT Now v2 ([https://zeit.co](https://zeit.co/)) are not affected\n- **Not affected**: Deployments using the `serverless` target\n- **Not affected**: Deployments using `next export`\n- **Affected**: Users of Next.js below 9.3.2\n\nWe recommend everyone to upgrade regardless of whether you can reproduce the issue or not.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5284","reference_id":"","reference_type":"","scores":[{"value":"0.79833","scoring_system":"epss","scoring_elements":"0.99125","published_at":"2026-06-08T12:55:00Z"},{"value":"0.79833","scoring_system":"epss","scoring_elements":"0.99124","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5284"},{"reference_url":"https://github.com/zeit/next.js/releases/tag/v9.3.2","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zeit/next.js/releases/tag/v9.3.2"},{"reference_url":"https://www.npmjs.com/advisories/1503","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1503"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5284","reference_id":"CVE-2020-5284","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5284"},{"reference_url":"https://github.com/advisories/GHSA-fq77-7p7r-83rj","reference_id":"GHSA-fq77-7p7r-83rj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fq77-7p7r-83rj"},{"reference_url":"https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj","reference_id":"GHSA-fq77-7p7r-83rj","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76988?format=json","purl":"pkg:npm/next@9.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-gw2b-uwg6-sba6"},{"vulnerability":"VCID-qkfv-k941-7uh9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@9.3.2"}],"aliases":["CVE-2020-5284","GHSA-fq77-7p7r-83rj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9gek-11vr-pfbw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39342?format=json","vulnerability_id":"VCID-bdbs-r1hh-vqby","summary":"Path Traversal\nNext.js has Directory Traversal in the `/_next` request namespace.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6184","reference_id":"","reference_type":"","scores":[{"value":"0.14624","scoring_system":"epss","scoring_elements":"0.94611","published_at":"2026-06-07T12:55:00Z"},{"value":"0.14624","scoring_system":"epss","scoring_elements":"0.94617","published_at":"2026-06-09T12:55:00Z"},{"value":"0.14624","scoring_system":"epss","scoring_elements":"0.94612","published_at":"2026-06-08T12:55:00Z"},{"value":"0.14624","scoring_system":"epss","scoring_elements":"0.94609","published_at":"2026-06-06T12:55:00Z"},{"value":"0.14624","scoring_system":"epss","scoring_elements":"0.946","published_at":"2026-06-04T12:55:00Z"},{"value":"0.14624","scoring_system":"epss","scoring_elements":"0.94608","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-6184"},{"reference_url":"https://github.com/advisories/GHSA-m34x-wgrh-g897","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m34x-wgrh-g897"},{"reference_url":"https://github.com/vercel/next.js/releases/tag/4.2.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/releases/tag/4.2.3"},{"reference_url":"https://github.com/zeit/next.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zeit/next.js"},{"reference_url":"https://github.com/zeit/next.js/releases/tag/4.2.3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/zeit/next.js/releases/tag/4.2.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6184","reference_id":"CVE-2018-6184","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-6184"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/215684?format=json","purl":"pkg:npm/next@4.2.0-canary.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-92d9-g7rt-jqc4"},{"vulnerability":"VCID-9gek-11vr-pfbw"},{"vulnerability":"VCID-bdbs-r1hh-vqby"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-gw2b-uwg6-sba6"},{"vulnerability":"VCID-qkfv-k941-7uh9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@4.2.0-canary.1"},{"url":"http://public2.vulnerablecode.io/api/packages/54935?format=json","purl":"pkg:npm/next@4.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-92d9-g7rt-jqc4"},{"vulnerability":"VCID-9gek-11vr-pfbw"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-gw2b-uwg6-sba6"},{"vulnerability":"VCID-qkfv-k941-7uh9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@4.2.3"}],"aliases":["CVE-2018-6184","GHSA-m34x-wgrh-g897"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bdbs-r1hh-vqby"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58029?format=json","vulnerability_id":"VCID-cqhe-wty9-5qec","summary":"Next.js Affected by Cache Key Confusion for Image Optimization API Routes\nA vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.\n\nAll users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752)","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57752","reference_id":"","reference_type":"","scores":[{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.3442","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34462","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34478","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34442","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34399","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57752"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/"}],"url":"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd"},{"reference_url":"https://github.com/vercel/next.js/pull/82114","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/"}],"url":"https://github.com/vercel/next.js/pull/82114"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2392060","reference_id":"2392060","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2392060"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57752","reference_id":"CVE-2025-57752","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57752"},{"reference_url":"https://vercel.com/changelog/cve-2025-57752","reference_id":"CVE-2025-57752","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/"}],"url":"https://vercel.com/changelog/cve-2025-57752"},{"reference_url":"https://github.com/advisories/GHSA-g5qg-72qw-gw5v","reference_id":"GHSA-g5qg-72qw-gw5v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g5qg-72qw-gw5v"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v","reference_id":"GHSA-g5qg-72qw-gw5v","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86332?format=json","purl":"pkg:npm/next@14.2.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38m6-9vq5-a7a7"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31"},{"url":"http://public2.vulnerablecode.io/api/packages/86333?format=json","purl":"pkg:npm/next@15.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q2t-61xt-u3ax"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-k1q6-b8t3-hqb6"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5"}],"aliases":["CVE-2025-57752","GHSA-g5qg-72qw-gw5v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cqhe-wty9-5qec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46252?format=json","vulnerability_id":"VCID-gw2b-uwg6-sba6","summary":"Next.js missing cache-control header may lead to CDN caching empty reply\nNext.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46298","reference_id":"","reference_type":"","scores":[{"value":"0.00373","scoring_system":"epss","scoring_elements":"0.59357","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00373","scoring_system":"epss","scoring_elements":"0.5935","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00373","scoring_system":"epss","scoring_elements":"0.59333","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00373","scoring_system":"epss","scoring_elements":"0.59352","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00373","scoring_system":"epss","scoring_elements":"0.59361","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46298"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648"},{"reference_url":"https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/"}],"url":"https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13"},{"reference_url":"https://github.com/vercel/next.js/issues/45301","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/"}],"url":"https://github.com/vercel/next.js/issues/45301"},{"reference_url":"https://github.com/vercel/next.js/pull/54732","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/"}],"url":"https://github.com/vercel/next.js/pull/54732"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46298","reference_id":"CVE-2023-46298","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46298"},{"reference_url":"https://github.com/advisories/GHSA-c59h-r6p8-q9wc","reference_id":"GHSA-c59h-r6p8-q9wc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c59h-r6p8-q9wc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67440?format=json","purl":"pkg:npm/next@13.4.20-canary.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16tt-tr4a-9fdx"},{"vulnerability":"VCID-38m6-9vq5-a7a7"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-4wd3-rj51-ykdx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-dd36-8ju8-gqej"},{"vulnerability":"VCID-dwdu-j3tf-tyav"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-gw2b-uwg6-sba6"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-pmah-ugvq-jqbs"},{"vulnerability":"VCID-qkfv-k941-7uh9"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"},{"vulnerability":"VCID-wb5m-12ur-rqhh"},{"vulnerability":"VCID-x36h-yutm-dkcr"},{"vulnerability":"VCID-zq9q-e5g1-dffr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.0"},{"url":"http://public2.vulnerablecode.io/api/packages/134221?format=json","purl":"pkg:npm/next@13.4.20-canary.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16tt-tr4a-9fdx"},{"vulnerability":"VCID-38m6-9vq5-a7a7"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-4wd3-rj51-ykdx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-dd36-8ju8-gqej"},{"vulnerability":"VCID-dwdu-j3tf-tyav"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-gw2b-uwg6-sba6"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-pmah-ugvq-jqbs"},{"vulnerability":"VCID-qkfv-k941-7uh9"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"},{"vulnerability":"VCID-wb5m-12ur-rqhh"},{"vulnerability":"VCID-x36h-yutm-dkcr"},{"vulnerability":"VCID-zq9q-e5g1-dffr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.13"},{"url":"http://public2.vulnerablecode.io/api/packages/82132?format=json","purl":"pkg:npm/next@13.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-16tt-tr4a-9fdx"},{"vulnerability":"VCID-38m6-9vq5-a7a7"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-4wd3-rj51-ykdx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-dd36-8ju8-gqej"},{"vulnerability":"VCID-dwdu-j3tf-tyav"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-pmah-ugvq-jqbs"},{"vulnerability":"VCID-qkfv-k941-7uh9"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"},{"vulnerability":"VCID-wb5m-12ur-rqhh"},{"vulnerability":"VCID-x36h-yutm-dkcr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.5.0"}],"aliases":["CVE-2023-46298","GHSA-c59h-r6p8-q9wc"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gw2b-uwg6-sba6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39168?format=json","vulnerability_id":"VCID-mm95-b9xw-67af","summary":"Path Traversal\nNext has directory traversal under the `/_next` and `/static` request namespace, allowing attackers to obtain sensitive information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16877","reference_id":"","reference_type":"","scores":[{"value":"0.80763","scoring_system":"epss","scoring_elements":"0.99165","published_at":"2026-06-07T12:55:00Z"},{"value":"0.80763","scoring_system":"epss","scoring_elements":"0.99166","published_at":"2026-06-09T12:55:00Z"},{"value":"0.80763","scoring_system":"epss","scoring_elements":"0.99164","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16877"},{"reference_url":"https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00"},{"reference_url":"https://github.com/zeit/next.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zeit/next.js"},{"reference_url":"https://github.com/zeit/next.js/releases/tag/2.4.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/zeit/next.js/releases/tag/2.4.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16877","reference_id":"CVE-2017-16877","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16877"},{"reference_url":"https://github.com/advisories/GHSA-3f5c-4qxj-vmpf","reference_id":"GHSA-3f5c-4qxj-vmpf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3f5c-4qxj-vmpf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54716?format=json","purl":"pkg:npm/next@2.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-92d9-g7rt-jqc4"},{"vulnerability":"VCID-9gek-11vr-pfbw"},{"vulnerability":"VCID-bdbs-r1hh-vqby"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-gw2b-uwg6-sba6"},{"vulnerability":"VCID-qkfv-k941-7uh9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@2.4.1"}],"aliases":["CVE-2017-16877","GHSA-3f5c-4qxj-vmpf"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mm95-b9xw-67af"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57299?format=json","vulnerability_id":"VCID-qkfv-k941-7uh9","summary":"Next.js Race Condition to Cache Poisoning\n**Summary**\nWe received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML.\n\n[Learn more here](https://vercel.com/changelog/cve-2025-32421)\n\n**Credit**\nThank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32421","reference_id":"","reference_type":"","scores":[{"value":"0.00752","scoring_system":"epss","scoring_elements":"0.73578","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00752","scoring_system":"epss","scoring_elements":"0.73556","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00752","scoring_system":"epss","scoring_elements":"0.73569","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00752","scoring_system":"epss","scoring_elements":"0.73582","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32421"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2366366","reference_id":"2366366","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2366366"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32421","reference_id":"CVE-2025-32421","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32421"},{"reference_url":"https://vercel.com/changelog/cve-2025-32421","reference_id":"CVE-2025-32421","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/"}],"url":"https://vercel.com/changelog/cve-2025-32421"},{"reference_url":"https://github.com/advisories/GHSA-qpjv-v59x-3qc4","reference_id":"GHSA-qpjv-v59x-3qc4","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qpjv-v59x-3qc4"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4","reference_id":"GHSA-qpjv-v59x-3qc4","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85143?format=json","purl":"pkg:npm/next@14.2.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-38m6-9vq5-a7a7"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-dd36-8ju8-gqej"},{"vulnerability":"VCID-dwdu-j3tf-tyav"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.24"},{"url":"http://public2.vulnerablecode.io/api/packages/85144?format=json","purl":"pkg:npm/next@15.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2q2t-61xt-u3ax"},{"vulnerability":"VCID-3ruh-95mg-wybh"},{"vulnerability":"VCID-3rx6-y94b-27ep"},{"vulnerability":"VCID-471k-npa7-wqhx"},{"vulnerability":"VCID-5c7e-4dkw-63fg"},{"vulnerability":"VCID-6um9-q6h7-v3ad"},{"vulnerability":"VCID-753e-dm2r-sybh"},{"vulnerability":"VCID-cqhe-wty9-5qec"},{"vulnerability":"VCID-dd36-8ju8-gqej"},{"vulnerability":"VCID-dwdu-j3tf-tyav"},{"vulnerability":"VCID-ffry-2c7p-vyhp"},{"vulnerability":"VCID-k1q6-b8t3-hqb6"},{"vulnerability":"VCID-kxdb-aa4z-qqbu"},{"vulnerability":"VCID-vqxd-ebjg-c3cw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.6"}],"aliases":["CVE-2025-32421","GHSA-qpjv-v59x-3qc4"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qkfv-k941-7uh9"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@2.0.0-beta.21"}