Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/next@14.3.0-canary.77

Type npm

Namespace

Name next

Version 14.3.0-canary.77

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 15.5.15

Latest_non_vulnerable_version 16.2.6

Affected_by_vulnerabilities

url VCID-3rx6-y94b-27ep

vulnerability_id VCID-3rx6-y94b-27ep

summary

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

references

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://vercel.com/changelog/summary-of-cve-2026-23864

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://vercel.com/changelog/summary-of-cve-2026-23864

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-23864

reference_id

CVE-2026-23864

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-23864

reference_url

https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg

reference_id

GHSA-83fc-fqcc-2hmg

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg

reference_url

https://github.com/advisories/GHSA-h25m-26qc-wcjf

reference_id

GHSA-h25m-26qc-wcjf

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-h25m-26qc-wcjf

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf

reference_id

GHSA-h25m-26qc-wcjf

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf

fixed_packages

url pkg:npm/next@15.0.8

purl pkg:npm/next@15.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.8

url pkg:npm/next@15.1.12

purl pkg:npm/next@15.1.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.12

url pkg:npm/next@15.2.9

purl pkg:npm/next@15.2.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.9

url pkg:npm/next@15.3.9

purl pkg:npm/next@15.3.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.9

url pkg:npm/next@15.4.11

purl pkg:npm/next@15.4.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.11

url pkg:npm/next@15.5.10

purl pkg:npm/next@15.5.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.10

url pkg:npm/next@15.6.0-canary.61

purl pkg:npm/next@15.6.0-canary.61

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.61

url pkg:npm/next@16.0.11

purl pkg:npm/next@16.0.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2qqn-59dj-23e3

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-d59z-sntr-uuak

vulnerability	VCID-eqhy-dum5-yqef

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-pgh9-tvw4-23cz

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.11

url pkg:npm/next@16.1.5

purl pkg:npm/next@16.1.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2qqn-59dj-23e3

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-eqhy-dum5-yqef

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-pgh9-tvw4-23cz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5

aliases GHSA-h25m-26qc-wcjf

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3rx6-y94b-27ep

url VCID-753e-dm2r-sybh

vulnerability_id VCID-753e-dm2r-sybh

summary next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-27980

reference_id

reference_type

scores

value	0.00023
scoring_system	epss
scoring_elements	0.06871
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-27980

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/

url

https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd

reference_url

https://github.com/vercel/next.js/releases/tag/v16.1.7

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/

url

https://github.com/vercel/next.js/releases/tag/v16.1.7

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-27980

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-27980

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2448509
reference_id	2448509
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2448509

reference_url	https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
reference_id	GHSA-3x4c-7xq6-9pq8
reference_type
scores
url	https://github.com/advisories/GHSA-3x4c-7xq6-9pq8

reference_url	https://access.redhat.com/errata/RHSA-2026:13571
reference_id	RHSA-2026:13571
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13571

fixed_packages

url pkg:npm/next@15.5.14

purl pkg:npm/next@15.5.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kxdb-aa4z-qqbu

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.14

url pkg:npm/next@15.6.0-canary.0

purl pkg:npm/next@15.6.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-d59z-sntr-uuak

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.0

url pkg:npm/next@16.1.7

purl pkg:npm/next@16.1.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kxdb-aa4z-qqbu

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7

aliases CVE-2026-27980, GHSA-3x4c-7xq6-9pq8

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-753e-dm2r-sybh

url VCID-ffry-2c7p-vyhp

vulnerability_id VCID-ffry-2c7p-vyhp

summary next.js: Next.js: HTTP request smuggling in rewrites

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-29057

reference_id

reference_type

scores

value	0.00031
scoring_system	epss
scoring_elements	0.09377
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-29057

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/

url

https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6

reference_url

https://github.com/vercel/next.js/releases/tag/v15.5.13

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/

url

https://github.com/vercel/next.js/releases/tag/v15.5.13

reference_url

https://github.com/vercel/next.js/releases/tag/v16.1.7

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/

url

https://github.com/vercel/next.js/releases/tag/v16.1.7

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-29057

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-29057

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2448515
reference_id	2448515
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2448515

reference_url	https://github.com/advisories/GHSA-ggv3-7p47-pfv8
reference_id	GHSA-ggv3-7p47-pfv8
reference_type
scores
url	https://github.com/advisories/GHSA-ggv3-7p47-pfv8

fixed_packages

url pkg:npm/next@15.5.13

purl pkg:npm/next@15.5.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-kxdb-aa4z-qqbu

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.13

url pkg:npm/next@16.1.7

purl pkg:npm/next@16.1.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kxdb-aa4z-qqbu

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7

aliases CVE-2026-29057, GHSA-ggv3-7p47-pfv8

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ffry-2c7p-vyhp

url VCID-k1q6-b8t3-hqb6

vulnerability_id VCID-k1q6-b8t3-hqb6

summary

Duplicate
This advisory duplicates another.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55182.json

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55182.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-55182

reference_id

reference_type

scores

value	0.84541
scoring_system	epss
scoring_elements	0.99347
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-55182

reference_url

https://github.com/facebook/react

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/facebook/react

reference_url

https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700

reference_url

https://github.com/facebook/react/pull/35277

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/facebook/react/pull/35277

reference_url

https://github.com/facebook/react/releases/tag/v19.0.1

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/facebook/react/releases/tag/v19.0.1

reference_url

https://github.com/facebook/react/releases/tag/v19.1.2

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/facebook/react/releases/tag/v19.1.2

reference_url

https://github.com/facebook/react/releases/tag/v19.2.1

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/facebook/react/releases/tag/v19.2.1

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://news.ycombinator.com/item?id=46136026

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://news.ycombinator.com/item?id=46136026

reference_url

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-12-06T04:55:43Z/

url

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

reference_url

http://www.openwall.com/lists/oss-security/2025/12/03/4

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2025/12/03/4

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2418613
reference_id	2418613
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2418613

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52506.py
reference_id	CVE-2025-55182
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52506.py

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

reference_id

CVE-2025-55182

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-55182

reference_url

https://www.facebook.com/security/advisories/cve-2025-55182

reference_id

CVE-2025-55182

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-12-06T04:55:43Z/

url

https://www.facebook.com/security/advisories/cve-2025-55182

reference_url

https://github.com/ejpir/CVE-2025-55182-poc

reference_id

CVE-2025-55182-POC

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/ejpir/CVE-2025-55182-poc

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2025-66478
reference_id	CVE-2025-66478
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2025-66478

reference_url

https://github.com/advisories/GHSA-9qr9-h5gf-34mp

reference_id

GHSA-9qr9-h5gf-34mp

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9qr9-h5gf-34mp

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp

reference_id

GHSA-9qr9-h5gf-34mp

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp

reference_url

https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp

reference_id

GHSA-fmh4-wr37-44fp

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp

reference_url

https://github.com/advisories/GHSA-fv66-9v8q-g76r

reference_id

GHSA-fv66-9v8q-g76r

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fv66-9v8q-g76r

reference_url

https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

reference_id

GHSA-fv66-9v8q-g76r

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r

fixed_packages

url pkg:npm/next@15.0.5

purl pkg:npm/next@15.0.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.5

url pkg:npm/next@15.1.9

purl pkg:npm/next@15.1.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.9

url pkg:npm/next@15.2.6

purl pkg:npm/next@15.2.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.6

url pkg:npm/next@15.3.6

purl pkg:npm/next@15.3.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.6

url pkg:npm/next@15.4.8

purl pkg:npm/next@15.4.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.8

url pkg:npm/next@15.5.7

purl pkg:npm/next@15.5.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.7

url pkg:npm/next@15.6.0-canary.0

purl pkg:npm/next@15.6.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-d59z-sntr-uuak

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.0

url pkg:npm/next@16.0.7

purl pkg:npm/next@16.0.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-2qqn-59dj-23e3

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-d59z-sntr-uuak

vulnerability	VCID-eqhy-dum5-yqef

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-pgh9-tvw4-23cz

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.7

url pkg:npm/next@16.1.0-canary.0

purl pkg:npm/next@16.1.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-2qqn-59dj-23e3

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-d59z-sntr-uuak

vulnerability	VCID-eqhy-dum5-yqef

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-pgh9-tvw4-23cz

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.0

aliases CVE-2025-55182, CVE-2025-66478, GHSA-9qr9-h5gf-34mp, GHSA-fv66-9v8q-g76r

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k1q6-b8t3-hqb6

url VCID-kxdb-aa4z-qqbu

vulnerability_id VCID-kxdb-aa4z-qqbu

summary

Next.js has a Denial of Service with Server Components
A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23869](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg). You can read more about this advisory our [this changelog](https://vercel.com/changelog/summary-of-cve-2026-23869).

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.

references

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3

reference_url

https://vercel.com/changelog/summary-of-cve-2026-23869

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://vercel.com/changelog/summary-of-cve-2026-23869

reference_url	https://github.com/advisories/GHSA-q4gf-8mx6-v5v3
reference_id	GHSA-q4gf-8mx6-v5v3
reference_type
scores
url	https://github.com/advisories/GHSA-q4gf-8mx6-v5v3

fixed_packages

url	pkg:npm/next@15.5.15
purl	pkg:npm/next@15.5.15
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.15

url	pkg:npm/next@16.2.3
purl	pkg:npm/next@16.2.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/next@16.2.3

aliases GHSA-q4gf-8mx6-v5v3

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kxdb-aa4z-qqbu

url VCID-vqxd-ebjg-c3cw

vulnerability_id VCID-vqxd-ebjg-c3cw

summary

Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-59471

reference_id

reference_type

scores

value	0.00041
scoring_system	epss
scoring_elements	0.12928
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-59471

reference_url

https://github.com/vercel/next.js

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js

reference_url

https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c

reference_url

https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec

reference_url

https://github.com/vercel/next.js/releases/tag/v15.5.10

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/releases/tag/v15.5.10

reference_url

https://github.com/vercel/next.js/releases/tag/v16.1.5

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/vercel/next.js/releases/tag/v16.1.5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2433094
reference_id	2433094
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2433094

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-59471

reference_id

CVE-2025-59471

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-59471

reference_url

https://github.com/advisories/GHSA-9g9p-9gw9-jx7f

reference_id

GHSA-9g9p-9gw9-jx7f

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9g9p-9gw9-jx7f

reference_url

https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f

reference_id

GHSA-9g9p-9gw9-jx7f

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:54:47Z/

url

https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f

fixed_packages

url pkg:npm/next@15.5.10

purl pkg:npm/next@15.5.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.10

url pkg:npm/next@16.1.5

purl pkg:npm/next@16.1.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2qqn-59dj-23e3

vulnerability	VCID-753e-dm2r-sybh

vulnerability	VCID-eqhy-dum5-yqef

vulnerability	VCID-ffry-2c7p-vyhp

vulnerability	VCID-kxdb-aa4z-qqbu

vulnerability	VCID-pgh9-tvw4-23cz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5

aliases CVE-2025-59471, GHSA-9g9p-9gw9-jx7f

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vqxd-ebjg-c3cw

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.3.0-canary.77

Package Instance