{"url":"http://public2.vulnerablecode.io/api/packages/73664?format=json","purl":"pkg:npm/next@15.2.9","type":"npm","namespace":"","name":"next","version":"15.2.9","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"15.3.6","latest_non_vulnerable_version":"16.1.5","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49872?format=json","vulnerability_id":"VCID-3rx6-y94b-27ep","summary":"Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components\nA vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).\n\nA specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.","references":[{"reference_url":"https://github.com/vercel/next.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js"},{"reference_url":"https://vercel.com/changelog/summary-of-cve-2026-23864","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://vercel.com/changelog/summary-of-cve-2026-23864"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23864","reference_id":"CVE-2026-23864","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23864"},{"reference_url":"https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg","reference_id":"GHSA-83fc-fqcc-2hmg","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg"},{"reference_url":"https://github.com/advisories/GHSA-h25m-26qc-wcjf","reference_id":"GHSA-h25m-26qc-wcjf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h25m-26qc-wcjf"},{"reference_url":"https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf","reference_id":"GHSA-h25m-26qc-wcjf","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73662?format=json","purl":"pkg:npm/next@15.0.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.8"},{"url":"http://public2.vulnerablecode.io/api/packages/73663?format=json","purl":"pkg:npm/next@15.1.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/73664?format=json","purl":"pkg:npm/next@15.2.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/73665?format=json","purl":"pkg:npm/next@15.3.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/73666?format=json","purl":"pkg:npm/next@15.4.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.11"},{"url":"http://public2.vulnerablecode.io/api/packages/73639?format=json","purl":"pkg:npm/next@15.5.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.10"},{"url":"http://public2.vulnerablecode.io/api/packages/73667?format=json","purl":"pkg:npm/next@15.6.0-canary.61","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.61"},{"url":"http://public2.vulnerablecode.io/api/packages/73668?format=json","purl":"pkg:npm/next@16.0.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.11"},{"url":"http://public2.vulnerablecode.io/api/packages/73640?format=json","purl":"pkg:npm/next@16.1.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5"}],"aliases":["GHSA-h25m-26qc-wcjf"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3rx6-y94b-27ep"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.9"}