{"url":"http://public2.vulnerablecode.io/api/packages/516061?format=json","purl":"pkg:npm/next@11.1.3-canary.88","type":"npm","namespace":"","name":"next","version":"11.1.3-canary.88","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"15.5.15","latest_non_vulnerable_version":"16.2.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7702?format=json","vulnerability_id":"VCID-1e41-bmst-83g4","summary":"next.js: Next.js: HTTP request smuggling in rewrites","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29057","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.0945","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29057"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/"}],"url":"https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6"},{"reference_url":"https://github.com/vercel/next.js/releases/tag/v15.5.13","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/"}],"url":"https://github.com/vercel/next.js/releases/tag/v15.5.13"},{"reference_url":"https://github.com/vercel/next.js/releases/tag/v16.1.7","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/"}],"url":"https://github.com/vercel/next.js/releases/tag/v16.1.7"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29057","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29057"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448515","reference_id":"2448515","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448515"},{"reference_url":"https://github.com/advisories/GHSA-ggv3-7p47-pfv8","reference_id":"GHSA-ggv3-7p47-pfv8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-ggv3-7p47-pfv8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57496?format=json","purl":"pkg:npm/next@15.5.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.13"},{"url":"http://public2.vulnerablecode.io/api/packages/57080?format=json","purl":"pkg:npm/next@16.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gdrq-6f7n-p7c7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7"}],"aliases":["CVE-2026-29057","GHSA-ggv3-7p47-pfv8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1e41-bmst-83g4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18584?format=json","vulnerability_id":"VCID-4cx4-sw39-3kab","summary":"nextjs: Next.js Affected by Cache Key Confusion for Image Optimization API Routes","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57752.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57752","reference_id":"","reference_type":"","scores":[{"value":"0.00144","scoring_system":"epss","scoring_elements":"0.34393","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57752"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/"}],"url":"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd"},{"reference_url":"https://github.com/vercel/next.js/pull/82114","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/"}],"url":"https://github.com/vercel/next.js/pull/82114"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57752","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57752"},{"reference_url":"https://vercel.com/changelog/cve-2025-57752","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:23:30Z/"}],"url":"https://vercel.com/changelog/cve-2025-57752"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2392060","reference_id":"2392060","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2392060"},{"reference_url":"https://github.com/advisories/GHSA-g5qg-72qw-gw5v","reference_id":"GHSA-g5qg-72qw-gw5v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g5qg-72qw-gw5v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64485?format=json","purl":"pkg:npm/next@14.2.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-sh1v-ynwb-a3cn"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31"},{"url":"http://public2.vulnerablecode.io/api/packages/64486?format=json","purl":"pkg:npm/next@15.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-n2as-avgp-nbda"},{"vulnerability":"VCID-qdx5-u44b-7fhc"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5"}],"aliases":["CVE-2025-57752","GHSA-g5qg-72qw-gw5v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4cx4-sw39-3kab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35014?format=json","vulnerability_id":"VCID-7hr5-47fw-b7gh","summary":"Next.js missing cache-control header may lead to CDN caching empty reply\nNext.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46298","reference_id":"","reference_type":"","scores":[{"value":"0.00373","scoring_system":"epss","scoring_elements":"0.59264","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46298"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648"},{"reference_url":"https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/"}],"url":"https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13"},{"reference_url":"https://github.com/vercel/next.js/issues/45301","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/"}],"url":"https://github.com/vercel/next.js/issues/45301"},{"reference_url":"https://github.com/vercel/next.js/pull/54732","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/"}],"url":"https://github.com/vercel/next.js/pull/54732"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46298","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46298"},{"reference_url":"https://github.com/advisories/GHSA-c59h-r6p8-q9wc","reference_id":"GHSA-c59h-r6p8-q9wc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c59h-r6p8-q9wc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373793?format=json","purl":"pkg:npm/next@13.4.20-canary.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-39pt-9y5n-47cg"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-7hr5-47fw-b7gh"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-ffqt-uqa9-5bhf"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-gkvy-3f5g-4bfn"},{"vulnerability":"VCID-kppf-1dh3-3qae"},{"vulnerability":"VCID-njxm-zh9p-zye4"},{"vulnerability":"VCID-ps3a-6mvf-p7c4"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-sh1v-ynwb-a3cn"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-vv5k-tnv7-u7b9"},{"vulnerability":"VCID-xs17-54tf-jyd5"},{"vulnerability":"VCID-ysmn-g34m-a3fx"},{"vulnerability":"VCID-zkej-vpyw-vubw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.0"},{"url":"http://public2.vulnerablecode.io/api/packages/67207?format=json","purl":"pkg:npm/next@13.4.20-canary.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-39pt-9y5n-47cg"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-7hr5-47fw-b7gh"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-ffqt-uqa9-5bhf"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-gkvy-3f5g-4bfn"},{"vulnerability":"VCID-kppf-1dh3-3qae"},{"vulnerability":"VCID-njxm-zh9p-zye4"},{"vulnerability":"VCID-ps3a-6mvf-p7c4"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-sh1v-ynwb-a3cn"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-vv5k-tnv7-u7b9"},{"vulnerability":"VCID-xs17-54tf-jyd5"},{"vulnerability":"VCID-ysmn-g34m-a3fx"},{"vulnerability":"VCID-zkej-vpyw-vubw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.13"},{"url":"http://public2.vulnerablecode.io/api/packages/37688?format=json","purl":"pkg:npm/next@13.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-39pt-9y5n-47cg"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-ffqt-uqa9-5bhf"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-gkvy-3f5g-4bfn"},{"vulnerability":"VCID-kppf-1dh3-3qae"},{"vulnerability":"VCID-njxm-zh9p-zye4"},{"vulnerability":"VCID-ps3a-6mvf-p7c4"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-sh1v-ynwb-a3cn"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-vv5k-tnv7-u7b9"},{"vulnerability":"VCID-xs17-54tf-jyd5"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.5.0"}],"aliases":["CVE-2023-46298","GHSA-c59h-r6p8-q9wc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7hr5-47fw-b7gh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42885?format=json","vulnerability_id":"VCID-b3t9-wky1-mya9","summary":"Unexpected server crash in Next.js.\nNext.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package `next` hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43803","reference_id":"","reference_type":"","scores":[{"value":"0.0218","scoring_system":"epss","scoring_elements":"0.84624","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43803"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264"},{"reference_url":"https://github.com/vercel/next.js/pull/32080","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/pull/32080"},{"reference_url":"https://github.com/vercel/next.js/releases/tag/v11.1.3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/releases/tag/v11.1.3"},{"reference_url":"https://github.com/vercel/next.js/releases/v12.0.5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/releases/v12.0.5"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43803","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43803"},{"reference_url":"https://github.com/advisories/GHSA-25mp-g6fv-mqxx","reference_id":"GHSA-25mp-g6fv-mqxx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-25mp-g6fv-mqxx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77083?format=json","purl":"pkg:npm/next@11.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-7hr5-47fw-b7gh"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-gkvy-3f5g-4bfn"},{"vulnerability":"VCID-njxm-zh9p-zye4"},{"vulnerability":"VCID-ps3a-6mvf-p7c4"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-xkhx-7tvp-hqgq"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@11.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/77082?format=json","purl":"pkg:npm/next@12.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-7hr5-47fw-b7gh"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-e77b-hwuk-8ud9"},{"vulnerability":"VCID-gkvy-3f5g-4bfn"},{"vulnerability":"VCID-njxm-zh9p-zye4"},{"vulnerability":"VCID-ps3a-6mvf-p7c4"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-vv5k-tnv7-u7b9"},{"vulnerability":"VCID-xkhx-7tvp-hqgq"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@12.0.5"}],"aliases":["CVE-2021-43803","GHSA-25mp-g6fv-mqxx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b3t9-wky1-mya9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18585?format=json","vulnerability_id":"VCID-du6a-s3hd-6fe8","summary":"nextjs: Next.js Content Injection Vulnerability for Image Optimization","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55173.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55173","reference_id":"","reference_type":"","scores":[{"value":"0.00687","scoring_system":"epss","scoring_elements":"0.7205","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-55173"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/"}],"url":"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55173","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55173"},{"reference_url":"https://vercel.com/changelog/cve-2025-55173","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T19:22:48Z/"}],"url":"https://vercel.com/changelog/cve-2025-55173"},{"reference_url":"http://vercel.com/changelog/cve-2025-55173","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://vercel.com/changelog/cve-2025-55173"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2392059","reference_id":"2392059","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2392059"},{"reference_url":"https://github.com/advisories/GHSA-xv57-4mr9-wg8v","reference_id":"GHSA-xv57-4mr9-wg8v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xv57-4mr9-wg8v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64485?format=json","purl":"pkg:npm/next@14.2.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-sh1v-ynwb-a3cn"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.31"},{"url":"http://public2.vulnerablecode.io/api/packages/64486?format=json","purl":"pkg:npm/next@15.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-n2as-avgp-nbda"},{"vulnerability":"VCID-qdx5-u44b-7fhc"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.5"}],"aliases":["CVE-2025-55173","GHSA-xv57-4mr9-wg8v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-du6a-s3hd-6fe8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7762?format=json","vulnerability_id":"VCID-gkvy-3f5g-4bfn","summary":"Denial of Service condition in Next.js image optimization\n### Impact\nThe image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.\n\n**Not affected:**\n- The `next.config.js` file is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value.\n- The Next.js application is hosted on Vercel. \n\n### Patches\nThis issue was fully patched in Next.js `14.2.7`. We recommend that users upgrade to at least this version.\n\n### Workarounds\nEnsure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.\n\n#### Credits\nBrandon Dahler (brandondahler), AWS\nDimitrios Vlastaras","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47831.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47831.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47831","reference_id":"","reference_type":"","scores":[{"value":"0.01306","scoring_system":"epss","scoring_elements":"0.80085","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47831"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:51:58Z/"}],"url":"https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T14:51:58Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47831","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47831"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318607","reference_id":"2318607","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2318607"},{"reference_url":"https://github.com/advisories/GHSA-g77x-44xx-532m","reference_id":"GHSA-g77x-44xx-532m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g77x-44xx-532m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19972?format=json","purl":"pkg:npm/next@14.2.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-ffqt-uqa9-5bhf"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-je4q-rdyj-xkap"},{"vulnerability":"VCID-njxm-zh9p-zye4"},{"vulnerability":"VCID-ps3a-6mvf-p7c4"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-sh1v-ynwb-a3cn"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-vv5k-tnv7-u7b9"},{"vulnerability":"VCID-xs17-54tf-jyd5"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.7"}],"aliases":["CVE-2024-47831","GHSA-g77x-44xx-532m"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gkvy-3f5g-4bfn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22037?format=json","vulnerability_id":"VCID-njxm-zh9p-zye4","summary":"next.js: Next.js Race Condition to Cache Poisoning","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32421.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32421","reference_id":"","reference_type":"","scores":[{"value":"0.00752","scoring_system":"epss","scoring_elements":"0.73486","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32421"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32421","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32421"},{"reference_url":"https://vercel.com/changelog/cve-2025-32421","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T15:40:39Z/"}],"url":"https://vercel.com/changelog/cve-2025-32421"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2366366","reference_id":"2366366","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2366366"},{"reference_url":"https://github.com/advisories/GHSA-qpjv-v59x-3qc4","reference_id":"GHSA-qpjv-v59x-3qc4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qpjv-v59x-3qc4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/66823?format=json","purl":"pkg:npm/next@14.2.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-sh1v-ynwb-a3cn"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-vv5k-tnv7-u7b9"},{"vulnerability":"VCID-xs17-54tf-jyd5"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.24"},{"url":"http://public2.vulnerablecode.io/api/packages/66824?format=json","purl":"pkg:npm/next@15.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-8rz7-zeem-37c8"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-n2as-avgp-nbda"},{"vulnerability":"VCID-qdx5-u44b-7fhc"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-vv5k-tnv7-u7b9"},{"vulnerability":"VCID-xs17-54tf-jyd5"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.6"}],"aliases":["CVE-2025-32421","GHSA-qpjv-v59x-3qc4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-njxm-zh9p-zye4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9858?format=json","vulnerability_id":"VCID-ps3a-6mvf-p7c4","summary":"Next.js authorization bypass vulnerability\n### Impact\nIf a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.\n\n### Patches\nThis issue was patched in Next.js `14.2.15` and later.\n\nIf your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.\n\n### Workarounds\nThere are no official workarounds for this vulnerability.\n\n#### Credits\nWe'd like to thank [tyage](http://github.com/tyage) (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-51479.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-51479.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-51479","reference_id":"","reference_type":"","scores":[{"value":"0.78509","scoring_system":"epss","scoring_elements":"0.9906","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-51479"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b"},{"reference_url":"https://github.com/vercel/next.js/releases/tag/v14.2.15","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-17T20:36:20Z/"}],"url":"https://github.com/vercel/next.js/releases/tag/v14.2.15"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-17T20:36:20Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-51479","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-51479"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2332884","reference_id":"2332884","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2332884"},{"reference_url":"https://github.com/advisories/GHSA-7gfc-8cq8-jh5f","reference_id":"GHSA-7gfc-8cq8-jh5f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7gfc-8cq8-jh5f"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:3807","reference_id":"RHSA-2025:3807","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:3807"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24990?format=json","purl":"pkg:npm/next@14.2.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-ffqt-uqa9-5bhf"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-njxm-zh9p-zye4"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-sh1v-ynwb-a3cn"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-vv5k-tnv7-u7b9"},{"vulnerability":"VCID-xs17-54tf-jyd5"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.15"}],"aliases":["CVE-2024-51479","GHSA-7gfc-8cq8-jh5f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ps3a-6mvf-p7c4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11216?format=json","vulnerability_id":"VCID-rktf-khtj-8ua4","summary":"next: NextJS Denial of Service in Image Optimizer","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59471","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12925","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59471"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c"},{"reference_url":"https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec"},{"reference_url":"https://github.com/vercel/next.js/releases/tag/v15.5.10","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/releases/tag/v15.5.10"},{"reference_url":"https://github.com/vercel/next.js/releases/tag/v16.1.5","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/releases/tag/v16.1.5"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:54:47Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59471","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59471"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433094","reference_id":"2433094","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433094"},{"reference_url":"https://github.com/advisories/GHSA-9g9p-9gw9-jx7f","reference_id":"GHSA-9g9p-9gw9-jx7f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9g9p-9gw9-jx7f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52589?format=json","purl":"pkg:npm/next@15.5.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.10"},{"url":"http://public2.vulnerablecode.io/api/packages/52599?format=json","purl":"pkg:npm/next@16.1.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-c6bj-hxmh-u7bq"},{"vulnerability":"VCID-fg9w-vdeb-zuh8"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-vrxz-432j-e7dg"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5"}],"aliases":["CVE-2025-59471","GHSA-9g9p-9gw9-jx7f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rktf-khtj-8ua4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31171?format=json","vulnerability_id":"VCID-ryx9-guuc-h7d8","summary":"Next.js Improper Middleware Redirect Handling Leads to SSRF\nA vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly passed into `NextResponse.next()`. In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.\n\nAll users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the `next()` function.\n\nMore details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-57822)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57822","reference_id":"","reference_type":"","scores":[{"value":"0.07815","scoring_system":"epss","scoring_elements":"0.921","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57822"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/"}],"url":"https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57822","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57822"},{"reference_url":"https://vercel.com/changelog/cve-2025-57822","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-02T17:26:15Z/"}],"url":"https://vercel.com/changelog/cve-2025-57822"},{"reference_url":"https://github.com/advisories/GHSA-4342-x723-ch2f","reference_id":"GHSA-4342-x723-ch2f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4342-x723-ch2f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64371?format=json","purl":"pkg:npm/next@14.2.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-sh1v-ynwb-a3cn"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.32"},{"url":"http://public2.vulnerablecode.io/api/packages/64372?format=json","purl":"pkg:npm/next@15.4.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-gdrq-6f7n-p7c7"},{"vulnerability":"VCID-n2as-avgp-nbda"},{"vulnerability":"VCID-qdx5-u44b-7fhc"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ufeu-t99r-7ffc"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.7"}],"aliases":["CVE-2025-57822","GHSA-4342-x723-ch2f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ryx9-guuc-h7d8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50488?format=json","vulnerability_id":"VCID-xkhx-7tvp-hqgq","summary":"Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0\nNext.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.\n\n### Impact\n- **Affected**: All of the following must be true to be affected\n  - Next.js between version 10.0.0 and 12.0.10\n  - The `next.config.js` file has [images.domains](https://nextjs.org/docs/api-reference/next/image#domains) array assigned\n  - The image host assigned in [images.domains](https://nextjs.org/docs/api-reference/next/image#domains) allows user-provided SVG\n- **Not affected**: The `next.config.js` file has [images.loader](https://nextjs.org/docs/api-reference/next/image#loader-configuration) assigned to something other than default\n\n### Patches\n[Next.js 12.1.0](https://github.com/vercel/next.js/releases/tag/v12.1.0)\n\n### Workarounds\nChange `next.config.js` to use a different [loader configuration](https://nextjs.org/docs/api-reference/next/image#loader-configuration) other than the default, for example:\n\n```js\nmodule.exports = {\n  images: {\n    loader: 'imgix',\n    path: 'https://example.com/myaccount/',\n  },\n}\n```\n\nOr if you want to use the [`loader`](https://nextjs.org/docs/api-reference/next/image#loader) prop on the component, you can use `custom`:\n```js\nmodule.exports = {\n  images: {\n    loader: 'custom',\n  },\n}\n```","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23646","reference_id":"","reference_type":"","scores":[{"value":"0.01381","scoring_system":"epss","scoring_elements":"0.80588","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23646"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/pull/34075","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/pull/34075"},{"reference_url":"https://github.com/vercel/next.js/releases/tag/v12.1.0","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/releases/tag/v12.1.0"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23646","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23646"},{"reference_url":"https://github.com/advisories/GHSA-fmvm-x8mv-47mj","reference_id":"GHSA-fmvm-x8mv-47mj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fmvm-x8mv-47mj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86708?format=json","purl":"pkg:npm/next@12.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1e41-bmst-83g4"},{"vulnerability":"VCID-4cx4-sw39-3kab"},{"vulnerability":"VCID-7hr5-47fw-b7gh"},{"vulnerability":"VCID-du6a-s3hd-6fe8"},{"vulnerability":"VCID-gkvy-3f5g-4bfn"},{"vulnerability":"VCID-njxm-zh9p-zye4"},{"vulnerability":"VCID-ps3a-6mvf-p7c4"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ryx9-guuc-h7d8"},{"vulnerability":"VCID-vv5k-tnv7-u7b9"},{"vulnerability":"VCID-ysmn-g34m-a3fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@12.1.0"}],"aliases":["CVE-2022-23646","GHSA-fmvm-x8mv-47mj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xkhx-7tvp-hqgq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7703?format=json","vulnerability_id":"VCID-ysmn-g34m-a3fx","summary":"next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27980","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.07004","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27980"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/"}],"url":"https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd"},{"reference_url":"https://github.com/vercel/next.js/releases/tag/v16.1.7","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/"}],"url":"https://github.com/vercel/next.js/releases/tag/v16.1.7"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27980","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27980"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448509","reference_id":"2448509","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448509"},{"reference_url":"https://github.com/advisories/GHSA-3x4c-7xq6-9pq8","reference_id":"GHSA-3x4c-7xq6-9pq8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3x4c-7xq6-9pq8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13571","reference_id":"RHSA-2026:13571","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13571"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57598?format=json","purl":"pkg:npm/next@15.5.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gdrq-6f7n-p7c7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.14"},{"url":"http://public2.vulnerablecode.io/api/packages/328393?format=json","purl":"pkg:npm/next@15.6.0-canary.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-aaqz-vvuv-nkhs"},{"vulnerability":"VCID-n2as-avgp-nbda"},{"vulnerability":"VCID-p2jf-e5pw-huf4"},{"vulnerability":"VCID-rktf-khtj-8ua4"},{"vulnerability":"VCID-ufeu-t99r-7ffc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.0"},{"url":"http://public2.vulnerablecode.io/api/packages/57080?format=json","purl":"pkg:npm/next@16.1.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gdrq-6f7n-p7c7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7"}],"aliases":["CVE-2026-27980","GHSA-3x4c-7xq6-9pq8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ysmn-g34m-a3fx"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@11.1.3-canary.88"}