{"url":"http://public2.vulnerablecode.io/api/packages/661539?format=json","purl":"pkg:npm/next@13.4.6-canary.8","type":"npm","namespace":"","name":"next","version":"13.4.6-canary.8","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"13.5.7","latest_non_vulnerable_version":"16.2.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46611?format=json","vulnerability_id":"VCID-7qxb-73at-5bet","summary":"Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39693","reference_id":"","reference_type":"","scores":[{"value":"0.00514","scoring_system":"epss","scoring_elements":"0.67025","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39693"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39693","reference_id":"CVE-2024-39693","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39693"},{"reference_url":"https://github.com/advisories/GHSA-fq54-2j52-jc42","reference_id":"GHSA-fq54-2j52-jc42","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fq54-2j52-jc42"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-fq54-2j52-jc42","reference_id":"GHSA-fq54-2j52-jc42","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-11T14:15:26Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-fq54-2j52-jc42"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32594?format=json","purl":"pkg:npm/next@13.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qmqq-zdeg-vyh5"},{"vulnerability":"VCID-qyq6-dq1h-s7en"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.5.0"}],"aliases":["CVE-2024-39693","GHSA-fq54-2j52-jc42"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7qxb-73at-5bet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/132733?format=json","vulnerability_id":"VCID-k79u-6118-zyag","summary":"Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46298","reference_id":"","reference_type":"","scores":[{"value":"0.00373","scoring_system":"epss","scoring_elements":"0.59422","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46298"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/commit/20d05958ff853e9c9e42139ffec294336881c648"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46298","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46298"},{"reference_url":"https://github.com/vercel/next.js/issues/45301","reference_id":"45301","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/"}],"url":"https://github.com/vercel/next.js/issues/45301"},{"reference_url":"https://github.com/vercel/next.js/pull/54732","reference_id":"54732","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/"}],"url":"https://github.com/vercel/next.js/pull/54732"},{"reference_url":"https://github.com/advisories/GHSA-c59h-r6p8-q9wc","reference_id":"GHSA-c59h-r6p8-q9wc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c59h-r6p8-q9wc"},{"reference_url":"https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13","reference_id":"v13.4.20-canary.12...v13.4.20-canary.13","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:50:22Z/"}],"url":"https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/394537?format=json","purl":"pkg:npm/next@13.4.20-canary.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7qxb-73at-5bet"},{"vulnerability":"VCID-k79u-6118-zyag"},{"vulnerability":"VCID-qmqq-zdeg-vyh5"},{"vulnerability":"VCID-qyq6-dq1h-s7en"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.0"},{"url":"http://public2.vulnerablecode.io/api/packages/379240?format=json","purl":"pkg:npm/next@13.4.20-canary.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7qxb-73at-5bet"},{"vulnerability":"VCID-k79u-6118-zyag"},{"vulnerability":"VCID-qmqq-zdeg-vyh5"},{"vulnerability":"VCID-qyq6-dq1h-s7en"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.20-canary.13"},{"url":"http://public2.vulnerablecode.io/api/packages/32594?format=json","purl":"pkg:npm/next@13.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qmqq-zdeg-vyh5"},{"vulnerability":"VCID-qyq6-dq1h-s7en"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.5.0"}],"aliases":["CVE-2023-46298","GHSA-c59h-r6p8-q9wc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k79u-6118-zyag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49400?format=json","vulnerability_id":"VCID-qmqq-zdeg-vyh5","summary":"Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34350","reference_id":"","reference_type":"","scores":[{"value":"0.00888","scoring_system":"epss","scoring_elements":"0.75936","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34350"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/commit/44eba020c615f0d9efe431f84ada67b81576f3f5"},{"reference_url":"https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34350","reference_id":"CVE-2024-34350","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34350"},{"reference_url":"https://github.com/advisories/GHSA-77r5-gw3j-2mpf","reference_id":"GHSA-77r5-gw3j-2mpf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-77r5-gw3j-2mpf"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf","reference_id":"GHSA-77r5-gw3j-2mpf","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-09T20:02:36Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30977?format=json","purl":"pkg:npm/next@13.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bwnq-891k-ykh7"},{"vulnerability":"VCID-qyq6-dq1h-s7en"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.5.1"}],"aliases":["CVE-2024-34350","GHSA-77r5-gw3j-2mpf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qmqq-zdeg-vyh5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49903?format=json","vulnerability_id":"VCID-qyq6-dq1h-s7en","summary":"Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34351.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34351.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34351","reference_id":"","reference_type":"","scores":[{"value":"0.92751","scoring_system":"epss","scoring_elements":"0.99768","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34351"},{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454387","reference_id":"2454387","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2454387"},{"reference_url":"https://github.com/vercel/next.js/pull/62561","reference_id":"62561","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-10T18:01:14Z/"}],"url":"https://github.com/vercel/next.js/pull/62561"},{"reference_url":"https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085","reference_id":"8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-10T18:01:14Z/"}],"url":"https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34351","reference_id":"CVE-2024-34351","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34351"},{"reference_url":"https://github.com/advisories/GHSA-fr5h-rqp8-mj6g","reference_id":"GHSA-fr5h-rqp8-mj6g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fr5h-rqp8-mj6g"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g","reference_id":"GHSA-fr5h-rqp8-mj6g","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-05-10T18:01:14Z/"}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:13571","reference_id":"RHSA-2026:13571","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:13571"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30978?format=json","purl":"pkg:npm/next@14.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@14.1.1"}],"aliases":["CVE-2024-34351","GHSA-fr5h-rqp8-mj6g"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qyq6-dq1h-s7en"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@13.4.6-canary.8"}