Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/next@9.5.4-canary.25
Typenpm
Namespace
Namenext
Version9.5.4-canary.25
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version15.5.15
Latest_non_vulnerable_version16.2.6
Affected_by_vulnerabilities
0
url VCID-471k-npa7-wqhx
vulnerability_id VCID-471k-npa7-wqhx
summary 
Next.js Content Injection Vulnerability for Image Optimization
A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated.

More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55173
reference_id
reference_type
scores
0
value 0.00687
scoring_system epss
scoring_elements 0.72144
published_at 2026-06-07T12:55:00Z
1
value 0.00687
scoring_system epss
scoring_elements 0.72159
published_at 2026-06-05T12:55:00Z
2
value 0.00687
scoring_system epss
scoring_elements 0.72165
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55173
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/
url https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
4
reference_url http://vercel.com/changelog/cve-2025-55173
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://vercel.com/changelog/cve-2025-55173
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2392059
reference_id 2392059
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2392059
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55173
reference_id CVE-2025-55173
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55173
7
reference_url https://vercel.com/changelog/cve-2025-55173
reference_id CVE-2025-55173
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/
url https://vercel.com/changelog/cve-2025-55173
8
reference_url https://github.com/advisories/GHSA-xv57-4mr9-wg8v
reference_id GHSA-xv57-4mr9-wg8v
reference_type
scores
url https://github.com/advisories/GHSA-xv57-4mr9-wg8v
9
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v
reference_id GHSA-xv57-4mr9-wg8v
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v
fixed_packages
0
url pkg:npm/next@14.2.31
purl pkg:npm/next@14.2.31
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
1
vulnerability VCID-3ruh-95mg-wybh
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-5c7e-4dkw-63fg
4
vulnerability VCID-753e-dm2r-sybh
5
vulnerability VCID-ffry-2c7p-vyhp
6
vulnerability VCID-kxdb-aa4z-qqbu
7
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31
1
url pkg:npm/next@15.4.5
purl pkg:npm/next@15.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2q2t-61xt-u3ax
1
vulnerability VCID-3ruh-95mg-wybh
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-5c7e-4dkw-63fg
4
vulnerability VCID-753e-dm2r-sybh
5
vulnerability VCID-ffry-2c7p-vyhp
6
vulnerability VCID-k1q6-b8t3-hqb6
7
vulnerability VCID-kxdb-aa4z-qqbu
8
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5
aliases CVE-2025-55173, GHSA-xv57-4mr9-wg8v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-471k-npa7-wqhx
1
url VCID-5c7e-4dkw-63fg
vulnerability_id VCID-5c7e-4dkw-63fg
summary 
Next.js Improper Middleware Redirect Handling Leads to SSRF
A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function.

More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-57822
reference_id
reference_type
scores
0
value 0.07815
scoring_system epss
scoring_elements 0.92134
published_at 2026-06-07T12:55:00Z
1
value 0.07815
scoring_system epss
scoring_elements 0.92135
published_at 2026-06-06T12:55:00Z
2
value 0.07815
scoring_system epss
scoring_elements 0.92137
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-57822
1
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
2
reference_url https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/
url https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-57822
reference_id CVE-2025-57822
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-57822
4
reference_url https://vercel.com/changelog/cve-2025-57822
reference_id CVE-2025-57822
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/
url https://vercel.com/changelog/cve-2025-57822
5
reference_url https://github.com/advisories/GHSA-4342-x723-ch2f
reference_id GHSA-4342-x723-ch2f
reference_type
scores
url https://github.com/advisories/GHSA-4342-x723-ch2f
6
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f
reference_id GHSA-4342-x723-ch2f
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f
fixed_packages
0
url pkg:npm/next@14.2.32
purl pkg:npm/next@14.2.32
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
1
vulnerability VCID-3ruh-95mg-wybh
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-753e-dm2r-sybh
4
vulnerability VCID-ffry-2c7p-vyhp
5
vulnerability VCID-kxdb-aa4z-qqbu
6
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.32
1
url pkg:npm/next@15.4.7
purl pkg:npm/next@15.4.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2q2t-61xt-u3ax
1
vulnerability VCID-3ruh-95mg-wybh
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-753e-dm2r-sybh
4
vulnerability VCID-ffry-2c7p-vyhp
5
vulnerability VCID-k1q6-b8t3-hqb6
6
vulnerability VCID-kxdb-aa4z-qqbu
7
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.7
aliases CVE-2025-57822, GHSA-4342-x723-ch2f
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5c7e-4dkw-63fg
2
url VCID-ana8-q3x4-euhq
vulnerability_id VCID-ana8-q3x4-euhq
summary 
URL Redirection to Untrusted Site (Open Redirect)
Next.js is vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-15242
reference_id
reference_type
scores
0
value 0.00211
scoring_system epss
scoring_elements 0.4366
published_at 2026-06-04T12:55:00Z
1
value 0.00211
scoring_system epss
scoring_elements 0.43716
published_at 2026-06-07T12:55:00Z
2
value 0.00211
scoring_system epss
scoring_elements 0.4374
published_at 2026-06-06T12:55:00Z
3
value 0.00211
scoring_system epss
scoring_elements 0.43731
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-15242
1
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
2
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435
3
reference_url https://github.com/zeit/next.js/releases/tag/v9.5.4
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/zeit/next.js/releases/tag/v9.5.4
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-15242
reference_id CVE-2020-15242
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-15242
5
reference_url https://github.com/advisories/GHSA-x56p-c8cg-q435
reference_id GHSA-x56p-c8cg-q435
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x56p-c8cg-q435
fixed_packages
0
url pkg:npm/next@9.5.4
purl pkg:npm/next@9.5.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-471k-npa7-wqhx
1
vulnerability VCID-5c7e-4dkw-63fg
2
vulnerability VCID-cqhe-wty9-5qec
3
vulnerability VCID-ffry-2c7p-vyhp
4
vulnerability VCID-gw2b-uwg6-sba6
5
vulnerability VCID-qkfv-k941-7uh9
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@9.5.4
aliases CVE-2020-15242, GHSA-x56p-c8cg-q435
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ana8-q3x4-euhq
3
url VCID-cqhe-wty9-5qec
vulnerability_id VCID-cqhe-wty9-5qec
summary 
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as `Cookie` or `Authorization`), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57752)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-57752
reference_id
reference_type
scores
0
value 0.00144
scoring_system epss
scoring_elements 0.34442
published_at 2026-06-07T12:55:00Z
1
value 0.00144
scoring_system epss
scoring_elements 0.34462
published_at 2026-06-05T12:55:00Z
2
value 0.00144
scoring_system epss
scoring_elements 0.34478
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-57752
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/
url https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd
4
reference_url https://github.com/vercel/next.js/pull/82114
reference_id
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/
url https://github.com/vercel/next.js/pull/82114
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2392060
reference_id 2392060
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2392060
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-57752
reference_id CVE-2025-57752
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-57752
7
reference_url https://vercel.com/changelog/cve-2025-57752
reference_id CVE-2025-57752
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/
url https://vercel.com/changelog/cve-2025-57752
8
reference_url https://github.com/advisories/GHSA-g5qg-72qw-gw5v
reference_id GHSA-g5qg-72qw-gw5v
reference_type
scores
url https://github.com/advisories/GHSA-g5qg-72qw-gw5v
9
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
reference_id GHSA-g5qg-72qw-gw5v
reference_type
scores
0
value 6.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v
fixed_packages
0
url pkg:npm/next@14.2.31
purl pkg:npm/next@14.2.31
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
1
vulnerability VCID-3ruh-95mg-wybh
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-5c7e-4dkw-63fg
4
vulnerability VCID-753e-dm2r-sybh
5
vulnerability VCID-ffry-2c7p-vyhp
6
vulnerability VCID-kxdb-aa4z-qqbu
7
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31
1
url pkg:npm/next@15.4.5
purl pkg:npm/next@15.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2q2t-61xt-u3ax
1
vulnerability VCID-3ruh-95mg-wybh
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-5c7e-4dkw-63fg
4
vulnerability VCID-753e-dm2r-sybh
5
vulnerability VCID-ffry-2c7p-vyhp
6
vulnerability VCID-k1q6-b8t3-hqb6
7
vulnerability VCID-kxdb-aa4z-qqbu
8
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5
aliases CVE-2025-57752, GHSA-g5qg-72qw-gw5v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cqhe-wty9-5qec
4
url VCID-ffry-2c7p-vyhp
vulnerability_id VCID-ffry-2c7p-vyhp
summary next.js: Next.js: HTTP request smuggling in rewrites
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29057
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.09382
published_at 2026-06-07T12:55:00Z
1
value 0.00031
scoring_system epss
scoring_elements 0.09377
published_at 2026-06-05T12:55:00Z
2
value 0.00031
scoring_system epss
scoring_elements 0.09397
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29057
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
4
reference_url https://github.com/vercel/next.js/releases/tag/v15.5.13
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/releases/tag/v15.5.13
5
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
6
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29057
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29057
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448515
reference_id 2448515
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448515
9
reference_url https://github.com/advisories/GHSA-ggv3-7p47-pfv8
reference_id GHSA-ggv3-7p47-pfv8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ggv3-7p47-pfv8
fixed_packages
0
url pkg:npm/next@15.5.13
purl pkg:npm/next@15.5.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-753e-dm2r-sybh
1
vulnerability VCID-kxdb-aa4z-qqbu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.13
1
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kxdb-aa4z-qqbu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-29057, GHSA-ggv3-7p47-pfv8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ffry-2c7p-vyhp
5
url VCID-gw2b-uwg6-sba6
vulnerability_id VCID-gw2b-uwg6-sba6
summary 
Next.js missing cache-control header may lead to CDN caching empty reply
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-46298
reference_id
reference_type
scores
0
value 0.00373
scoring_system epss
scoring_elements 0.59357
published_at 2026-06-05T12:55:00Z
1
value 0.00373
scoring_system epss
scoring_elements 0.59352
published_at 2026-06-07T12:55:00Z
2
value 0.00373
scoring_system epss
scoring_elements 0.59361
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-46298
1
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
2
reference_url https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648
3
reference_url https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/
url https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
4
reference_url https://github.com/vercel/next.js/issues/45301
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/
url https://github.com/vercel/next.js/issues/45301
5
reference_url https://github.com/vercel/next.js/pull/54732
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/
url https://github.com/vercel/next.js/pull/54732
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-46298
reference_id CVE-2023-46298
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-46298
7
reference_url https://github.com/advisories/GHSA-c59h-r6p8-q9wc
reference_id GHSA-c59h-r6p8-q9wc
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-c59h-r6p8-q9wc
fixed_packages
0
url pkg:npm/next@13.4.20-canary.0
purl pkg:npm/next@13.4.20-canary.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16tt-tr4a-9fdx
1
vulnerability VCID-38m6-9vq5-a7a7
2
vulnerability VCID-3ruh-95mg-wybh
3
vulnerability VCID-3rx6-y94b-27ep
4
vulnerability VCID-471k-npa7-wqhx
5
vulnerability VCID-4wd3-rj51-ykdx
6
vulnerability VCID-5c7e-4dkw-63fg
7
vulnerability VCID-753e-dm2r-sybh
8
vulnerability VCID-cqhe-wty9-5qec
9
vulnerability VCID-dd36-8ju8-gqej
10
vulnerability VCID-dwdu-j3tf-tyav
11
vulnerability VCID-ffry-2c7p-vyhp
12
vulnerability VCID-gw2b-uwg6-sba6
13
vulnerability VCID-kxdb-aa4z-qqbu
14
vulnerability VCID-pmah-ugvq-jqbs
15
vulnerability VCID-qkfv-k941-7uh9
16
vulnerability VCID-vqxd-ebjg-c3cw
17
vulnerability VCID-wb5m-12ur-rqhh
18
vulnerability VCID-x36h-yutm-dkcr
19
vulnerability VCID-zq9q-e5g1-dffr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.0
1
url pkg:npm/next@13.4.20-canary.13
purl pkg:npm/next@13.4.20-canary.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16tt-tr4a-9fdx
1
vulnerability VCID-38m6-9vq5-a7a7
2
vulnerability VCID-3ruh-95mg-wybh
3
vulnerability VCID-3rx6-y94b-27ep
4
vulnerability VCID-471k-npa7-wqhx
5
vulnerability VCID-4wd3-rj51-ykdx
6
vulnerability VCID-5c7e-4dkw-63fg
7
vulnerability VCID-753e-dm2r-sybh
8
vulnerability VCID-cqhe-wty9-5qec
9
vulnerability VCID-dd36-8ju8-gqej
10
vulnerability VCID-dwdu-j3tf-tyav
11
vulnerability VCID-ffry-2c7p-vyhp
12
vulnerability VCID-gw2b-uwg6-sba6
13
vulnerability VCID-kxdb-aa4z-qqbu
14
vulnerability VCID-pmah-ugvq-jqbs
15
vulnerability VCID-qkfv-k941-7uh9
16
vulnerability VCID-vqxd-ebjg-c3cw
17
vulnerability VCID-wb5m-12ur-rqhh
18
vulnerability VCID-x36h-yutm-dkcr
19
vulnerability VCID-zq9q-e5g1-dffr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.13
2
url pkg:npm/next@13.5.0
purl pkg:npm/next@13.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-16tt-tr4a-9fdx
1
vulnerability VCID-38m6-9vq5-a7a7
2
vulnerability VCID-3ruh-95mg-wybh
3
vulnerability VCID-3rx6-y94b-27ep
4
vulnerability VCID-471k-npa7-wqhx
5
vulnerability VCID-4wd3-rj51-ykdx
6
vulnerability VCID-5c7e-4dkw-63fg
7
vulnerability VCID-753e-dm2r-sybh
8
vulnerability VCID-cqhe-wty9-5qec
9
vulnerability VCID-dd36-8ju8-gqej
10
vulnerability VCID-dwdu-j3tf-tyav
11
vulnerability VCID-ffry-2c7p-vyhp
12
vulnerability VCID-kxdb-aa4z-qqbu
13
vulnerability VCID-pmah-ugvq-jqbs
14
vulnerability VCID-qkfv-k941-7uh9
15
vulnerability VCID-vqxd-ebjg-c3cw
16
vulnerability VCID-wb5m-12ur-rqhh
17
vulnerability VCID-x36h-yutm-dkcr
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@13.5.0
aliases CVE-2023-46298, GHSA-c59h-r6p8-q9wc
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gw2b-uwg6-sba6
6
url VCID-qkfv-k941-7uh9
vulnerability_id VCID-qkfv-k941-7uh9
summary 
Next.js Race Condition to Cache Poisoning
**Summary**
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the **Pages Router** under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML.

[Learn more here](https://vercel.com/changelog/cve-2025-32421)

**Credit**
Thank you to **Allam Rachid (zhero)** for the responsible disclosure. This research was rewarded as part of our bug bounty program.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-32421
reference_id
reference_type
scores
0
value 0.00752
scoring_system epss
scoring_elements 0.73569
published_at 2026-06-07T12:55:00Z
1
value 0.00752
scoring_system epss
scoring_elements 0.73578
published_at 2026-06-05T12:55:00Z
2
value 0.00752
scoring_system epss
scoring_elements 0.73582
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-32421
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2366366
reference_id 2366366
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2366366
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-32421
reference_id CVE-2025-32421
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-32421
5
reference_url https://vercel.com/changelog/cve-2025-32421
reference_id CVE-2025-32421
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/
url https://vercel.com/changelog/cve-2025-32421
6
reference_url https://github.com/advisories/GHSA-qpjv-v59x-3qc4
reference_id GHSA-qpjv-v59x-3qc4
reference_type
scores
url https://github.com/advisories/GHSA-qpjv-v59x-3qc4
7
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4
reference_id GHSA-qpjv-v59x-3qc4
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4
fixed_packages
0
url pkg:npm/next@14.2.24
purl pkg:npm/next@14.2.24
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
1
vulnerability VCID-3ruh-95mg-wybh
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-471k-npa7-wqhx
4
vulnerability VCID-5c7e-4dkw-63fg
5
vulnerability VCID-753e-dm2r-sybh
6
vulnerability VCID-cqhe-wty9-5qec
7
vulnerability VCID-dd36-8ju8-gqej
8
vulnerability VCID-dwdu-j3tf-tyav
9
vulnerability VCID-ffry-2c7p-vyhp
10
vulnerability VCID-kxdb-aa4z-qqbu
11
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.24
1
url pkg:npm/next@15.1.6
purl pkg:npm/next@15.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2q2t-61xt-u3ax
1
vulnerability VCID-3ruh-95mg-wybh
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-471k-npa7-wqhx
4
vulnerability VCID-5c7e-4dkw-63fg
5
vulnerability VCID-6um9-q6h7-v3ad
6
vulnerability VCID-753e-dm2r-sybh
7
vulnerability VCID-cqhe-wty9-5qec
8
vulnerability VCID-dd36-8ju8-gqej
9
vulnerability VCID-dwdu-j3tf-tyav
10
vulnerability VCID-ffry-2c7p-vyhp
11
vulnerability VCID-k1q6-b8t3-hqb6
12
vulnerability VCID-kxdb-aa4z-qqbu
13
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.6
aliases CVE-2025-32421, GHSA-qpjv-v59x-3qc4
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qkfv-k941-7uh9
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/next@9.5.4-canary.25