Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/next@1.2.0

Type npm

Namespace

Name next

Version 1.2.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 15.5.18

Latest_non_vulnerable_version 16.2.6

Affected_by_vulnerabilities

url VCID-3z94-57r1-t3cq

vulnerability_id VCID-3z94-57r1-t3cq

summary Directory Traversal in Next.js

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-5284

reference_id

reference_type

scores

value	0.79833
scoring_system	epss
scoring_elements	0.99125
published_at	2026-06-11T12:55:00Z

value	0.79833
scoring_system	epss
scoring_elements	0.99128
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-5284

reference_url

https://github.com/zeit/next.js/releases/tag/v9.3.2

reference_id

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zeit/next.js/releases/tag/v9.3.2

reference_url

https://www.npmjs.com/advisories/1503

reference_id

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/advisories/1503

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-5284

reference_id

CVE-2020-5284

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-5284

reference_url

https://github.com/advisories/GHSA-fq77-7p7r-83rj

reference_id

GHSA-fq77-7p7r-83rj

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fq77-7p7r-83rj

reference_url

https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj

reference_id

GHSA-fq77-7p7r-83rj

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj

fixed_packages

url pkg:npm/next@9.3.2

purl pkg:npm/next@9.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-k79u-6118-zyag

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-xz2s-8drg-8bam

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@9.3.2

aliases CVE-2020-5284, GHSA-fq77-7p7r-83rj

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3z94-57r1-t3cq

url VCID-7j2z-1rcx-5kbw

vulnerability_id VCID-7j2z-1rcx-5kbw

summary Remote Code Execution in next

references

reference_url	https://github.com/masasron/vulnerability-research/tree/master/CVE-2018-6184/LFI
reference_id
reference_type
scores
url	https://github.com/masasron/vulnerability-research/tree/master/CVE-2018-6184/LFI

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://www.npmjs.com/advisories/1538

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/advisories/1538

reference_url

https://github.com/advisories/GHSA-5vj8-3v2h-h38v

reference_id

GHSA-5vj8-3v2h-h38v

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5vj8-3v2h-h38v

fixed_packages

url pkg:npm/next@5.1.0

purl pkg:npm/next@5.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3z94-57r1-t3cq

vulnerability	VCID-k79u-6118-zyag

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-xz2s-8drg-8bam

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@5.1.0

aliases GHSA-5vj8-3v2h-h38v, GMS-2020-750

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7j2z-1rcx-5kbw

url VCID-85yf-4zz7-33bn

vulnerability_id VCID-85yf-4zz7-33bn

summary Next.js Directory Traversal Vulnerability

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2017-16877

reference_id

reference_type

scores

value	0.80763
scoring_system	epss
scoring_elements	0.9917
published_at	2026-06-12T12:55:00Z

value	0.80763
scoring_system	epss
scoring_elements	0.99167
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2017-16877

reference_url

https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/commit/02fe7cf63f6265d73bdaf8bc50a4f2fb539dcd00

reference_url

https://github.com/zeit/next.js

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/zeit/next.js

reference_url

https://github.com/zeit/next.js/releases/tag/2.4.1

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/zeit/next.js/releases/tag/2.4.1

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2017-16877

reference_id

CVE-2017-16877

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2017-16877

reference_url

https://github.com/advisories/GHSA-3f5c-4qxj-vmpf

reference_id

GHSA-3f5c-4qxj-vmpf

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3f5c-4qxj-vmpf

fixed_packages

url pkg:npm/next@2.4.1

purl pkg:npm/next@2.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3z94-57r1-t3cq

vulnerability	VCID-7j2z-1rcx-5kbw

vulnerability	VCID-k79u-6118-zyag

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-xz2s-8drg-8bam

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@2.4.1

aliases CVE-2017-16877, GHSA-3f5c-4qxj-vmpf

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-85yf-4zz7-33bn

url VCID-k79u-6118-zyag

vulnerability_id VCID-k79u-6118-zyag

summary Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-46298

reference_id

reference_type

scores

value	0.00373
scoring_system	epss
scoring_elements	0.59422
published_at	2026-06-11T12:55:00Z

value	0.00373
scoring_system	epss
scoring_elements	0.59532
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-46298

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-46298

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-46298

reference_url

https://github.com/vercel/next.js/issues/45301

reference_id

45301

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/

url

https://github.com/vercel/next.js/issues/45301

reference_url

https://github.com/vercel/next.js/pull/54732

reference_id

54732

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/

url

https://github.com/vercel/next.js/pull/54732

reference_url

https://github.com/advisories/GHSA-c59h-r6p8-q9wc

reference_id

GHSA-c59h-r6p8-q9wc

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c59h-r6p8-q9wc

reference_url

https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13

reference_id

v13.4.20-canary.12...v13.4.20-canary.13

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/

url

https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13

fixed_packages

url pkg:npm/next@13.4.20-canary.0

purl pkg:npm/next@13.4.20-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-3614-49nb-r7em

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-7qxb-73at-5bet

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-jgpv-ueke-37gf

vulnerability	VCID-k79u-6118-zyag

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-pzbj-fkbg-nkdw

vulnerability	VCID-qmqq-zdeg-vyh5

vulnerability	VCID-qyq6-dq1h-s7en

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xz2s-8drg-8bam

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.0

url pkg:npm/next@13.4.20-canary.13

purl pkg:npm/next@13.4.20-canary.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-3614-49nb-r7em

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-7qxb-73at-5bet

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-jgpv-ueke-37gf

vulnerability	VCID-k79u-6118-zyag

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-pzbj-fkbg-nkdw

vulnerability	VCID-qmqq-zdeg-vyh5

vulnerability	VCID-qyq6-dq1h-s7en

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xz2s-8drg-8bam

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.13

url pkg:npm/next@13.5.0

purl pkg:npm/next@13.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-3614-49nb-r7em

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-jgpv-ueke-37gf

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-pzbj-fkbg-nkdw

vulnerability	VCID-qmqq-zdeg-vyh5

vulnerability	VCID-qyq6-dq1h-s7en

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xz2s-8drg-8bam

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@13.5.0

aliases CVE-2023-46298, GHSA-c59h-r6p8-q9wc

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k79u-6118-zyag

url VCID-p7a7-ehjr-xqf3

vulnerability_id VCID-p7a7-ehjr-xqf3

summary Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-57752

reference_id

reference_type

scores

value	0.00144
scoring_system	epss
scoring_elements	0.34643
published_at	2026-06-12T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34466
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-57752

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-57752

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-57752

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2392060
reference_id	2392060
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2392060

reference_url

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_id

6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/

url

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_url

https://github.com/vercel/next.js/pull/82114

reference_id

82114

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/

url

https://github.com/vercel/next.js/pull/82114

reference_url

https://vercel.com/changelog/cve-2025-57752

reference_id

cve-2025-57752

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/

url

https://vercel.com/changelog/cve-2025-57752

reference_url	https://github.com/advisories/GHSA-g5qg-72qw-gw5v
reference_id	GHSA-g5qg-72qw-gw5v
reference_type
scores
url	https://github.com/advisories/GHSA-g5qg-72qw-gw5v

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v

reference_id

GHSA-g5qg-72qw-gw5v

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v

fixed_packages

url pkg:npm/next@14.2.31

purl pkg:npm/next@14.2.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31

url pkg:npm/next@15.4.5

purl pkg:npm/next@15.4.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2rsy-25vf-cufu

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-51mc-n64v-nugj

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5

aliases CVE-2025-57752, GHSA-g5qg-72qw-gw5v

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p7a7-ehjr-xqf3

url VCID-t6n1-e9kc-hqgx

vulnerability_id VCID-t6n1-e9kc-hqgx

summary Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-57822

reference_id

reference_type

scores

value	0.07815
scoring_system	epss
scoring_elements	0.92168
published_at	2026-06-11T12:55:00Z

value	0.07815
scoring_system	epss
scoring_elements	0.92195
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-57822

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-57822

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-57822

reference_url

https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8

reference_id

9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/

url

https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8

reference_url

https://vercel.com/changelog/cve-2025-57822

reference_id

cve-2025-57822

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/

url

https://vercel.com/changelog/cve-2025-57822

reference_url	https://github.com/advisories/GHSA-4342-x723-ch2f
reference_id	GHSA-4342-x723-ch2f
reference_type
scores
url	https://github.com/advisories/GHSA-4342-x723-ch2f

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f

reference_id

GHSA-4342-x723-ch2f

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f

fixed_packages

url pkg:npm/next@14.2.32

purl pkg:npm/next@14.2.32

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.32

url pkg:npm/next@15.4.7

purl pkg:npm/next@15.4.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2rsy-25vf-cufu

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-51mc-n64v-nugj

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.7

aliases CVE-2025-57822, GHSA-4342-x723-ch2f

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t6n1-e9kc-hqgx

url VCID-wdsq-y8uf-2feh

vulnerability_id VCID-wdsq-y8uf-2feh

summary Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-55173

reference_id

reference_type

scores

value	0.00687
scoring_system	epss
scoring_elements	0.72209
published_at	2026-06-11T12:55:00Z

value	0.00687
scoring_system	epss
scoring_elements	0.72292
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-55173

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-55173

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-55173

reference_url

http://vercel.com/changelog/cve-2025-55173

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://vercel.com/changelog/cve-2025-55173

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2392059
reference_id	2392059
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2392059

reference_url

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_id

6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/

url

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_url

https://vercel.com/changelog/cve-2025-55173

reference_id

cve-2025-55173

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/

url

https://vercel.com/changelog/cve-2025-55173

reference_url	https://github.com/advisories/GHSA-xv57-4mr9-wg8v
reference_id	GHSA-xv57-4mr9-wg8v
reference_type
scores
url	https://github.com/advisories/GHSA-xv57-4mr9-wg8v

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v

reference_id

GHSA-xv57-4mr9-wg8v

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v

fixed_packages

url pkg:npm/next@14.2.31

purl pkg:npm/next@14.2.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31

url pkg:npm/next@15.4.5

purl pkg:npm/next@15.4.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2rsy-25vf-cufu

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-51mc-n64v-nugj

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5

aliases CVE-2025-55173, GHSA-xv57-4mr9-wg8v

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wdsq-y8uf-2feh

url VCID-xz2s-8drg-8bam

vulnerability_id VCID-xz2s-8drg-8bam

summary Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-32421

reference_id

reference_type

scores

value	0.00752
scoring_system	epss
scoring_elements	0.73631
published_at	2026-06-11T12:55:00Z

value	0.00752
scoring_system	epss
scoring_elements	0.73706
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-32421

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-32421

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-32421

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2366366
reference_id	2366366
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2366366

reference_url

https://vercel.com/changelog/cve-2025-32421

reference_id

cve-2025-32421

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/

url

https://vercel.com/changelog/cve-2025-32421

reference_url	https://github.com/advisories/GHSA-qpjv-v59x-3qc4
reference_id	GHSA-qpjv-v59x-3qc4
reference_type
scores
url	https://github.com/advisories/GHSA-qpjv-v59x-3qc4

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4

reference_id

GHSA-qpjv-v59x-3qc4

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4

fixed_packages

url pkg:npm/next@14.2.24

purl pkg:npm/next@14.2.24

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.24

url pkg:npm/next@15.1.6

purl pkg:npm/next@15.1.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2rsy-25vf-cufu

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-51mc-n64v-nugj

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zrw8-shww-mqe4

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.6

aliases CVE-2025-32421, GHSA-qpjv-v59x-3qc4

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xz2s-8drg-8bam

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@1.2.0

Package Instance