Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/next@10.2.4-canary.6

Type npm

Namespace

Name next

Version 10.2.4-canary.6

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 15.5.18

Latest_non_vulnerable_version 16.2.6

Affected_by_vulnerabilities

url VCID-29qk-jgck-2kb2

vulnerability_id VCID-29qk-jgck-2kb2

summary

A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-59471

reference_id

reference_type

scores

value	0.00041
scoring_system	epss
scoring_elements	0.13005
published_at	2026-06-14T12:55:00Z

value	0.00041
scoring_system	epss
scoring_elements	0.13027
published_at	2026-06-13T12:55:00Z

value	0.00041
scoring_system	epss
scoring_elements	0.12923
published_at	2026-06-11T12:55:00Z

value	0.00041
scoring_system	epss
scoring_elements	0.13017
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-59471

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c

reference_url

https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec

reference_url

https://github.com/vercel/next.js/releases/tag/v15.5.10

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/releases/tag/v15.5.10

reference_url

https://github.com/vercel/next.js/releases/tag/v16.1.5

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/releases/tag/v16.1.5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2433094
reference_id	2433094
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2433094

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-59471

reference_id

CVE-2025-59471

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-59471

reference_url

https://github.com/advisories/GHSA-9g9p-9gw9-jx7f

reference_id

GHSA-9g9p-9gw9-jx7f

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9g9p-9gw9-jx7f

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f

reference_id

GHSA-9g9p-9gw9-jx7f

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:54:47Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f

fixed_packages

url pkg:npm/next@15.5.10

purl pkg:npm/next@15.5.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.10

url pkg:npm/next@16.1.5

purl pkg:npm/next@16.1.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-51r9-nmc2-tyc7

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-chsk-ka34-yqaf

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-qptg-e7c6-puhs

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5

aliases CVE-2025-59471, GHSA-9g9p-9gw9-jx7f

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-29qk-jgck-2kb2

url VCID-3614-49nb-r7em

vulnerability_id VCID-3614-49nb-r7em

summary Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47831.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47831.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-47831

reference_id

reference_type

scores

value	0.01306
scoring_system	epss
scoring_elements	0.80195
published_at	2026-06-11T12:55:00Z

value	0.01306
scoring_system	epss
scoring_elements	0.80264
published_at	2026-06-14T12:55:00Z

value	0.01306
scoring_system	epss
scoring_elements	0.80256
published_at	2026-06-12T12:55:00Z

value	0.01306
scoring_system	epss
scoring_elements	0.80273
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-47831

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2318607
reference_id	2318607
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2318607

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-47831

reference_id

CVE-2024-47831

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-47831

reference_url

https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a

reference_id

d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:51:58Z/

url

https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a

reference_url

https://github.com/advisories/GHSA-g77x-44xx-532m

reference_id

GHSA-g77x-44xx-532m

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g77x-44xx-532m

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m

reference_id

GHSA-g77x-44xx-532m

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	4.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:51:58Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m

fixed_packages

url pkg:npm/next@14.2.7

purl pkg:npm/next@14.2.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-bwnq-891k-ykh7

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-jgpv-ueke-37gf

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-pzbj-fkbg-nkdw

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xz2s-8drg-8bam

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.7

aliases CVE-2024-47831, GHSA-g77x-44xx-532m

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3614-49nb-r7em

url VCID-93c9-up9w-5fdv

vulnerability_id VCID-93c9-up9w-5fdv

summary Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44577.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-44577.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-44577

reference_id

reference_type

scores

value	0.00018
scoring_system	epss
scoring_elements	0.05048
published_at	2026-06-13T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.05058
published_at	2026-06-11T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.05061
published_at	2026-06-12T12:55:00Z

value	0.0002
scoring_system	epss
scoring_elements	0.05727
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-44577

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/releases/tag/v15.5.16

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/releases/tag/v15.5.16

reference_url

https://github.com/vercel/next.js/releases/tag/v16.2.5

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/releases/tag/v16.2.5

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-44577

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-44577

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2477194
reference_id	2477194
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2477194

reference_url

https://github.com/advisories/GHSA-h64f-5h5j-jqjh

reference_id

GHSA-h64f-5h5j-jqjh

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-h64f-5h5j-jqjh

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh

reference_id

GHSA-h64f-5h5j-jqjh

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T18:33:40Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh

fixed_packages

url pkg:npm/next@15.5.16

purl pkg:npm/next@15.5.16

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-gh18-cr6c-47hm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.16

url pkg:npm/next@16.2.5

purl pkg:npm/next@16.2.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-gh18-cr6c-47hm

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.2.5

aliases CVE-2026-44577, GHSA-h64f-5h5j-jqjh

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-93c9-up9w-5fdv

url VCID-bjvd-79eg-17f3

vulnerability_id VCID-bjvd-79eg-17f3

summary Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-29057

reference_id

reference_type

scores

value	0.00031
scoring_system	epss
scoring_elements	0.09488
published_at	2026-06-13T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.09477
published_at	2026-06-14T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.09495
published_at	2026-06-12T12:55:00Z

value	0.00031
scoring_system	epss
scoring_elements	0.0944
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-29057

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-29057

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-29057

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2448515
reference_id	2448515
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2448515

reference_url

https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6

reference_id

dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/

url

https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6

reference_url

https://github.com/advisories/GHSA-ggv3-7p47-pfv8

reference_id

GHSA-ggv3-7p47-pfv8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-ggv3-7p47-pfv8

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8

reference_id

GHSA-ggv3-7p47-pfv8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8

reference_url

https://github.com/vercel/next.js/releases/tag/v15.5.13

reference_id

v15.5.13

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/

url

https://github.com/vercel/next.js/releases/tag/v15.5.13

reference_url

https://github.com/vercel/next.js/releases/tag/v16.1.7

reference_id

v16.1.7

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/

url

https://github.com/vercel/next.js/releases/tag/v16.1.7

fixed_packages

url pkg:npm/next@15.5.13

purl pkg:npm/next@15.5.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.13

url pkg:npm/next@16.1.7

purl pkg:npm/next@16.1.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7

aliases CVE-2026-29057, GHSA-ggv3-7p47-pfv8

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bjvd-79eg-17f3

url VCID-c68h-67ne-kkck

vulnerability_id VCID-c68h-67ne-kkck

summary Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23646

reference_id

reference_type

scores

value	0.01381
scoring_system	epss
scoring_elements	0.80756
published_at	2026-06-12T12:55:00Z

value	0.01381
scoring_system	epss
scoring_elements	0.80696
published_at	2026-06-11T12:55:00Z

value	0.01381
scoring_system	epss
scoring_elements	0.80757
published_at	2026-06-14T12:55:00Z

value	0.01381
scoring_system	epss
scoring_elements	0.80767
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23646

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/pull/34075

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/pull/34075

reference_url

https://github.com/vercel/next.js/releases/tag/v12.1.0

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/releases/tag/v12.1.0

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23646

reference_id

CVE-2022-23646

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23646

reference_url

https://github.com/advisories/GHSA-fmvm-x8mv-47mj

reference_id

GHSA-fmvm-x8mv-47mj

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fmvm-x8mv-47mj

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj

reference_id

GHSA-fmvm-x8mv-47mj

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj

fixed_packages

url pkg:npm/next@12.1.0

purl pkg:npm/next@12.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-3614-49nb-r7em

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-k79u-6118-zyag

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-pzbj-fkbg-nkdw

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-xz2s-8drg-8bam

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@12.1.0

aliases CVE-2022-23646, GHSA-fmvm-x8mv-47mj

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c68h-67ne-kkck

url VCID-k79u-6118-zyag

vulnerability_id VCID-k79u-6118-zyag

summary Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-46298

reference_id

reference_type

scores

value	0.00373
scoring_system	epss
scoring_elements	0.59532
published_at	2026-06-12T12:55:00Z

value	0.00373
scoring_system	epss
scoring_elements	0.59422
published_at	2026-06-11T12:55:00Z

value	0.00373
scoring_system	epss
scoring_elements	0.59531
published_at	2026-06-14T12:55:00Z

value	0.00373
scoring_system	epss
scoring_elements	0.59543
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-46298

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-46298

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-46298

reference_url

https://github.com/vercel/next.js/issues/45301

reference_id

45301

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/

url

https://github.com/vercel/next.js/issues/45301

reference_url

https://github.com/vercel/next.js/pull/54732

reference_id

54732

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/

url

https://github.com/vercel/next.js/pull/54732

reference_url

https://github.com/advisories/GHSA-c59h-r6p8-q9wc

reference_id

GHSA-c59h-r6p8-q9wc

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c59h-r6p8-q9wc

reference_url

https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13

reference_id

v13.4.20-canary.12...v13.4.20-canary.13

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/

url

https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13

fixed_packages

url pkg:npm/next@13.4.20-canary.0

purl pkg:npm/next@13.4.20-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-3614-49nb-r7em

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-7qxb-73at-5bet

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-jgpv-ueke-37gf

vulnerability	VCID-k79u-6118-zyag

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-pzbj-fkbg-nkdw

vulnerability	VCID-qmqq-zdeg-vyh5

vulnerability	VCID-qyq6-dq1h-s7en

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xz2s-8drg-8bam

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.0

url pkg:npm/next@13.4.20-canary.13

purl pkg:npm/next@13.4.20-canary.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-3614-49nb-r7em

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-7qxb-73at-5bet

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-jgpv-ueke-37gf

vulnerability	VCID-k79u-6118-zyag

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-pzbj-fkbg-nkdw

vulnerability	VCID-qmqq-zdeg-vyh5

vulnerability	VCID-qyq6-dq1h-s7en

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xz2s-8drg-8bam

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.13

url pkg:npm/next@13.5.0

purl pkg:npm/next@13.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-3614-49nb-r7em

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-jgpv-ueke-37gf

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-pzbj-fkbg-nkdw

vulnerability	VCID-qmqq-zdeg-vyh5

vulnerability	VCID-qyq6-dq1h-s7en

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xz2s-8drg-8bam

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@13.5.0

aliases CVE-2023-46298, GHSA-c59h-r6p8-q9wc

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k79u-6118-zyag

url VCID-p7a7-ehjr-xqf3

vulnerability_id VCID-p7a7-ehjr-xqf3

summary Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-57752

reference_id

reference_type

scores

value	0.00144
scoring_system	epss
scoring_elements	0.34646
published_at	2026-06-14T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34643
published_at	2026-06-12T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34466
published_at	2026-06-11T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34667
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-57752

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-57752

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-57752

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2392060
reference_id	2392060
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2392060

reference_url

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_id

6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/

url

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_url

https://github.com/vercel/next.js/pull/82114

reference_id

82114

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/

url

https://github.com/vercel/next.js/pull/82114

reference_url

https://vercel.com/changelog/cve-2025-57752

reference_id

cve-2025-57752

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/

url

https://vercel.com/changelog/cve-2025-57752

reference_url

https://github.com/advisories/GHSA-g5qg-72qw-gw5v

reference_id

GHSA-g5qg-72qw-gw5v

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g5qg-72qw-gw5v

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v

reference_id

GHSA-g5qg-72qw-gw5v

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v

fixed_packages

url pkg:npm/next@14.2.31

purl pkg:npm/next@14.2.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31

url pkg:npm/next@15.4.5

purl pkg:npm/next@15.4.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2rsy-25vf-cufu

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-51mc-n64v-nugj

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5

aliases CVE-2025-57752, GHSA-g5qg-72qw-gw5v

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p7a7-ehjr-xqf3

url VCID-pzbj-fkbg-nkdw

vulnerability_id VCID-pzbj-fkbg-nkdw

summary Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-51479.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-51479.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-51479

reference_id

reference_type

scores

value	0.78509
scoring_system	epss
scoring_elements	0.99065
published_at	2026-06-12T12:55:00Z

value	0.78509
scoring_system	epss
scoring_elements	0.99066
published_at	2026-06-14T12:55:00Z

value	0.78509
scoring_system	epss
scoring_elements	0.99061
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-51479

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-51479

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-51479

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2332884
reference_id	2332884
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2332884

reference_url

https://github.com/advisories/GHSA-7gfc-8cq8-jh5f

reference_id

GHSA-7gfc-8cq8-jh5f

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7gfc-8cq8-jh5f

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f

reference_id

GHSA-7gfc-8cq8-jh5f

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-17T20:36:20Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f

reference_url	https://access.redhat.com/errata/RHSA-2025:3807
reference_id	RHSA-2025:3807
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:3807

reference_url

https://github.com/vercel/next.js/releases/tag/v14.2.15

reference_id

v14.2.15

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-17T20:36:20Z/

url

https://github.com/vercel/next.js/releases/tag/v14.2.15

fixed_packages

url pkg:npm/next@14.2.15

purl pkg:npm/next@14.2.15

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-jgpv-ueke-37gf

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xz2s-8drg-8bam

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.15

aliases CVE-2024-51479, GHSA-7gfc-8cq8-jh5f

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pzbj-fkbg-nkdw

url VCID-t6n1-e9kc-hqgx

vulnerability_id VCID-t6n1-e9kc-hqgx

summary Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-57822

reference_id

reference_type

scores

value	0.07815
scoring_system	epss
scoring_elements	0.92201
published_at	2026-06-14T12:55:00Z

value	0.07815
scoring_system	epss
scoring_elements	0.92168
published_at	2026-06-11T12:55:00Z

value	0.07815
scoring_system	epss
scoring_elements	0.92195
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-57822

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-57822

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-57822

reference_url

https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8

reference_id

9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/

url

https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8

reference_url

https://vercel.com/changelog/cve-2025-57822

reference_id

cve-2025-57822

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/

url

https://vercel.com/changelog/cve-2025-57822

reference_url

https://github.com/advisories/GHSA-4342-x723-ch2f

reference_id

GHSA-4342-x723-ch2f

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4342-x723-ch2f

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f

reference_id

GHSA-4342-x723-ch2f

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f

fixed_packages

url pkg:npm/next@14.2.32

purl pkg:npm/next@14.2.32

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.32

url pkg:npm/next@15.4.7

purl pkg:npm/next@15.4.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2rsy-25vf-cufu

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-51mc-n64v-nugj

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.7

aliases CVE-2025-57822, GHSA-4342-x723-ch2f

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t6n1-e9kc-hqgx

url VCID-uqrk-gg9y-5bfz

vulnerability_id VCID-uqrk-gg9y-5bfz

summary Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27980

reference_id

reference_type

scores

value	0.00023
scoring_system	epss
scoring_elements	0.06888
published_at	2026-06-12T12:55:00Z

value	0.00023
scoring_system	epss
scoring_elements	0.06862
published_at	2026-06-14T12:55:00Z

value	0.00023
scoring_system	epss
scoring_elements	0.06876
published_at	2026-06-13T12:55:00Z

value	0.00023
scoring_system	epss
scoring_elements	0.06863
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27980

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27980

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27980

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2448509
reference_id	2448509
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2448509

reference_url

https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd

reference_id

39eb8e0ac498b48855a0430fbf4c22276a73b4bd

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/

url

https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd

reference_url

https://github.com/advisories/GHSA-3x4c-7xq6-9pq8

reference_id

GHSA-3x4c-7xq6-9pq8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3x4c-7xq6-9pq8

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8

reference_id

GHSA-3x4c-7xq6-9pq8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8

reference_url	https://access.redhat.com/errata/RHSA-2026:13571
reference_id	RHSA-2026:13571
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13571

reference_url

https://github.com/vercel/next.js/releases/tag/v16.1.7

reference_id

v16.1.7

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/

url

https://github.com/vercel/next.js/releases/tag/v16.1.7

fixed_packages

url pkg:npm/next@15.5.14

purl pkg:npm/next@15.5.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.14

url pkg:npm/next@15.6.0-canary.0

purl pkg:npm/next@15.6.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-51mc-n64v-nugj

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-v7dq-7t8n-j7b5

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.0

url pkg:npm/next@16.1.7

purl pkg:npm/next@16.1.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7

aliases CVE-2026-27980, GHSA-3x4c-7xq6-9pq8

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uqrk-gg9y-5bfz

url VCID-vb3c-u8td-7ye4

vulnerability_id VCID-vb3c-u8td-7ye4

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-39178

reference_id

reference_type

scores

value	0.007
scoring_system	epss
scoring_elements	0.72485
published_at	2026-06-11T12:55:00Z

value	0.007
scoring_system	epss
scoring_elements	0.72563
published_at	2026-06-12T12:55:00Z

value	0.007
scoring_system	epss
scoring_elements	0.72577
published_at	2026-06-13T12:55:00Z

value	0.007
scoring_system	epss
scoring_elements	0.72573
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-39178

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/commit/7afc97c5744b38bdf36aa7f87625f438224688aa

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/commit/7afc97c5744b38bdf36aa7f87625f438224688aa

reference_url

https://github.com/vercel/next.js/pull/28620

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/pull/28620

reference_url

https://github.com/vercel/next.js/releases/tag/v11.1.1

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/releases/tag/v11.1.1

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-39178

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-39178

reference_url

https://github.com/advisories/GHSA-9gr3-7897-pp7m

reference_id

GHSA-9gr3-7897-pp7m

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9gr3-7897-pp7m

fixed_packages

url pkg:npm/next@11.1.1

purl pkg:npm/next@11.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-3614-49nb-r7em

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c68h-67ne-kkck

vulnerability	VCID-k79u-6118-zyag

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-pzbj-fkbg-nkdw

vulnerability	VCID-s9pm-xyj1-yydc

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w11n-v968-juaz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-xz2s-8drg-8bam

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@11.1.1

aliases CVE-2021-39178, GHSA-9gr3-7897-pp7m

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vb3c-u8td-7ye4

url VCID-wdsq-y8uf-2feh

vulnerability_id VCID-wdsq-y8uf-2feh

summary Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-55173

reference_id

reference_type

scores

value	0.00687
scoring_system	epss
scoring_elements	0.72299
published_at	2026-06-14T12:55:00Z

value	0.00687
scoring_system	epss
scoring_elements	0.72292
published_at	2026-06-12T12:55:00Z

value	0.00687
scoring_system	epss
scoring_elements	0.72305
published_at	2026-06-13T12:55:00Z

value	0.00687
scoring_system	epss
scoring_elements	0.72209
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-55173

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-55173

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-55173

reference_url

http://vercel.com/changelog/cve-2025-55173

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://vercel.com/changelog/cve-2025-55173

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2392059
reference_id	2392059
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2392059

reference_url

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_id

6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/

url

https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd

reference_url

https://vercel.com/changelog/cve-2025-55173

reference_id

cve-2025-55173

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/

url

https://vercel.com/changelog/cve-2025-55173

reference_url

https://github.com/advisories/GHSA-xv57-4mr9-wg8v

reference_id

GHSA-xv57-4mr9-wg8v

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xv57-4mr9-wg8v

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v

reference_id

GHSA-xv57-4mr9-wg8v

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v

fixed_packages

url pkg:npm/next@14.2.31

purl pkg:npm/next@14.2.31

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31

url pkg:npm/next@15.4.5

purl pkg:npm/next@15.4.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2rsy-25vf-cufu

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-51mc-n64v-nugj

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-9r3b-phvp-xfck

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gh18-cr6c-47hm

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-w4pk-pmxb-c7fr

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5

aliases CVE-2025-55173, GHSA-xv57-4mr9-wg8v

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wdsq-y8uf-2feh

url VCID-xz2s-8drg-8bam

vulnerability_id VCID-xz2s-8drg-8bam

summary Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-32421

reference_id

reference_type

scores

value	0.00752
scoring_system	epss
scoring_elements	0.73722
published_at	2026-06-14T12:55:00Z

value	0.00752
scoring_system	epss
scoring_elements	0.73706
published_at	2026-06-12T12:55:00Z

value	0.00752
scoring_system	epss
scoring_elements	0.73631
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-32421

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-32421

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-32421

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2366366
reference_id	2366366
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2366366

reference_url

https://vercel.com/changelog/cve-2025-32421

reference_id

cve-2025-32421

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/

url

https://vercel.com/changelog/cve-2025-32421

reference_url

https://github.com/advisories/GHSA-qpjv-v59x-3qc4

reference_id

GHSA-qpjv-v59x-3qc4

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qpjv-v59x-3qc4

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4

reference_id

GHSA-qpjv-v59x-3qc4

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4

fixed_packages

url pkg:npm/next@14.2.24

purl pkg:npm/next@14.2.24

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zuh1-7568-nbg3

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.24

url pkg:npm/next@15.1.6

purl pkg:npm/next@15.1.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-29qk-jgck-2kb2

vulnerability	VCID-2rsy-25vf-cufu

vulnerability	VCID-2wxy-d9mx-u7du

vulnerability	VCID-4kgz-73xy-xyb2

vulnerability	VCID-51mc-n64v-nugj

vulnerability	VCID-5ehn-67ys-73h1

vulnerability	VCID-6r5c-d48p-9qa4

vulnerability	VCID-93c9-up9w-5fdv

vulnerability	VCID-b2hu-vcgt-7ydr

vulnerability	VCID-bjvd-79eg-17f3

vulnerability	VCID-c9sc-ajq2-pyda

vulnerability	VCID-gm62-hv3y-v7b8

vulnerability	VCID-haxf-nay6-v3hg

vulnerability	VCID-mv21-m5nh-vygs

vulnerability	VCID-p7a7-ehjr-xqf3

vulnerability	VCID-s5uv-nxf7-rkbj

vulnerability	VCID-t6n1-e9kc-hqgx

vulnerability	VCID-uqrk-gg9y-5bfz

vulnerability	VCID-wdsq-y8uf-2feh

vulnerability	VCID-wgv6-ermy-yycy

vulnerability	VCID-xzrf-tsxp-hqeg

vulnerability	VCID-yddv-cunp-yyd7

vulnerability	VCID-zrny-u44x-3fh1

vulnerability	VCID-zrw8-shww-mqe4

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.6

aliases CVE-2025-32421, GHSA-qpjv-v59x-3qc4

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xz2s-8drg-8bam

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@10.2.4-canary.6

Package Instance