Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/next@15.3.7
Typenpm
Namespace
Namenext
Version15.3.7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version15.3.8
Latest_non_vulnerable_version16.1.5
Affected_by_vulnerabilities
0
url VCID-38m6-9vq5-a7a7
vulnerability_id VCID-38m6-9vq5-a7a7
summary 
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
It was discovered that the fix for [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types.  As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as [CVE-2025-67779](https://www.cve.org/CVERecord?id=CVE-2025-67779).

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
url https://github.com/vercel/next.js
1
reference_url https://nextjs.org/blog/security-update-2025-12-11
reference_id
reference_type
scores
url https://nextjs.org/blog/security-update-2025-12-11
2
reference_url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
reference_id
reference_type
scores
url https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
3
reference_url https://www.cve.org/CVERecord?id=CVE-2025-55184
reference_id
reference_type
scores
url https://www.cve.org/CVERecord?id=CVE-2025-55184
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-67779
reference_id CVE-2025-67779
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-67779
5
reference_url https://www.facebook.com/security/advisories/cve-2025-67779
reference_id CVE-2025-67779
reference_type
scores
url https://www.facebook.com/security/advisories/cve-2025-67779
6
reference_url https://github.com/advisories/GHSA-5j59-xgg2-r9c4
reference_id GHSA-5j59-xgg2-r9c4
reference_type
scores
url https://github.com/advisories/GHSA-5j59-xgg2-r9c4
7
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4
reference_id GHSA-5j59-xgg2-r9c4
reference_type
scores
url https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4
fixed_packages
0
url pkg:npm/next@15.3.8
purl pkg:npm/next@15.3.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.8
1
url pkg:npm/next@15.4.10
purl pkg:npm/next@15.4.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.10
2
url pkg:npm/next@15.5.9
purl pkg:npm/next@15.5.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.9
3
url pkg:npm/next@15.6.0-canary.60
purl pkg:npm/next@15.6.0-canary.60
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.60
4
url pkg:npm/next@16.0.10
purl pkg:npm/next@16.0.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.10
5
url pkg:npm/next@16.1.0-canary.19
purl pkg:npm/next@16.1.0-canary.19
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.19
aliases GHSA-5j59-xgg2-r9c4
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-38m6-9vq5-a7a7
Fixing_vulnerabilities
0
url VCID-2q2t-61xt-u3ax
vulnerability_id VCID-2q2t-61xt-u3ax
summary 
Next Server Actions Source Code Exposure
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183).

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of [Server Functions](https://react.dev/reference/rsc/server-functions). This could reveal business logic, but would not expose secrets unless they were hardcoded directly into [Server Function](https://react.dev/reference/rsc/server-functions) code.
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
url https://github.com/vercel/next.js
1
reference_url https://nextjs.org/blog/security-update-2025-12-11
reference_id
reference_type
scores
url https://nextjs.org/blog/security-update-2025-12-11
2
reference_url https://www.cve.org/CVERecord?id=CVE-2025-55183
reference_id
reference_type
scores
url https://www.cve.org/CVERecord?id=CVE-2025-55183
3
reference_url https://github.com/advisories/GHSA-w37m-7fhw-fmv9
reference_id GHSA-w37m-7fhw-fmv9
reference_type
scores
url https://github.com/advisories/GHSA-w37m-7fhw-fmv9
4
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9
reference_id GHSA-w37m-7fhw-fmv9
reference_type
scores
url https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9
fixed_packages
0
url pkg:npm/next@15.0.6
purl pkg:npm/next@15.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.6
1
url pkg:npm/next@15.1.10
purl pkg:npm/next@15.1.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.10
2
url pkg:npm/next@15.2.7
purl pkg:npm/next@15.2.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.7
3
url pkg:npm/next@15.3.7
purl pkg:npm/next@15.3.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.7
4
url pkg:npm/next@15.4.9
purl pkg:npm/next@15.4.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.9
5
url pkg:npm/next@15.5.8
purl pkg:npm/next@15.5.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.8
6
url pkg:npm/next@15.6.0-canary.59
purl pkg:npm/next@15.6.0-canary.59
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.59
7
url pkg:npm/next@16.0.9
purl pkg:npm/next@16.0.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9
8
url pkg:npm/next@16.1.0-canary.17
purl pkg:npm/next@16.1.0-canary.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17
aliases GHSA-w37m-7fhw-fmv9
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2q2t-61xt-u3ax
1
url VCID-3ruh-95mg-wybh
vulnerability_id VCID-3ruh-95mg-wybh
summary 
Next Vulnerable to Denial of Service with Server Components
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
url https://github.com/vercel/next.js
1
reference_url https://nextjs.org/blog/security-update-2025-12-11
reference_id
reference_type
scores
url https://nextjs.org/blog/security-update-2025-12-11
2
reference_url https://www.cve.org/CVERecord?id=CVE-2025-55184
reference_id
reference_type
scores
url https://www.cve.org/CVERecord?id=CVE-2025-55184
3
reference_url https://github.com/advisories/GHSA-mwv6-3258-q52c
reference_id GHSA-mwv6-3258-q52c
reference_type
scores
url https://github.com/advisories/GHSA-mwv6-3258-q52c
4
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
reference_id GHSA-mwv6-3258-q52c
reference_type
scores
url https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
fixed_packages
0
url pkg:npm/next@14.2.34
purl pkg:npm/next@14.2.34
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@14.2.34
1
url pkg:npm/next@15.0.6
purl pkg:npm/next@15.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.6
2
url pkg:npm/next@15.1.10
purl pkg:npm/next@15.1.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.10
3
url pkg:npm/next@15.2.7
purl pkg:npm/next@15.2.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.7
4
url pkg:npm/next@15.3.7
purl pkg:npm/next@15.3.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.7
5
url pkg:npm/next@15.4.9
purl pkg:npm/next@15.4.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.9
6
url pkg:npm/next@15.5.8
purl pkg:npm/next@15.5.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.8
7
url pkg:npm/next@15.6.0-canary.59
purl pkg:npm/next@15.6.0-canary.59
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.59
8
url pkg:npm/next@16.0.9
purl pkg:npm/next@16.0.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9
9
url pkg:npm/next@16.1.0-canary.17
purl pkg:npm/next@16.1.0-canary.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-38m6-9vq5-a7a7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17
aliases GHSA-mwv6-3258-q52c
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3ruh-95mg-wybh
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.7