Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/next@16.0.2-canary.23
Typenpm
Namespace
Namenext
Version16.0.2-canary.23
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version16.2.3
Latest_non_vulnerable_version16.2.6
Affected_by_vulnerabilities
0
url VCID-2q2t-61xt-u3ax
vulnerability_id VCID-2q2t-61xt-u3ax
summary 
Next Server Actions Source Code Exposure
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183).

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of [Server Functions](https://react.dev/reference/rsc/server-functions). This could reveal business logic, but would not expose secrets unless they were hardcoded directly into [Server Function](https://react.dev/reference/rsc/server-functions) code.
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
1
reference_url https://nextjs.org/blog/security-update-2025-12-11
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nextjs.org/blog/security-update-2025-12-11
2
reference_url https://www.cve.org/CVERecord?id=CVE-2025-55183
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.cve.org/CVERecord?id=CVE-2025-55183
3
reference_url https://github.com/advisories/GHSA-w37m-7fhw-fmv9
reference_id GHSA-w37m-7fhw-fmv9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w37m-7fhw-fmv9
4
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9
reference_id GHSA-w37m-7fhw-fmv9
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9
fixed_packages
0
url pkg:npm/next@16.0.9
purl pkg:npm/next@16.0.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2qqn-59dj-23e3
1
vulnerability VCID-38m6-9vq5-a7a7
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-753e-dm2r-sybh
4
vulnerability VCID-d59z-sntr-uuak
5
vulnerability VCID-eqhy-dum5-yqef
6
vulnerability VCID-ffry-2c7p-vyhp
7
vulnerability VCID-kxdb-aa4z-qqbu
8
vulnerability VCID-pgh9-tvw4-23cz
9
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9
1
url pkg:npm/next@16.1.0-canary.17
purl pkg:npm/next@16.1.0-canary.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2qqn-59dj-23e3
1
vulnerability VCID-38m6-9vq5-a7a7
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-753e-dm2r-sybh
4
vulnerability VCID-d59z-sntr-uuak
5
vulnerability VCID-eqhy-dum5-yqef
6
vulnerability VCID-ffry-2c7p-vyhp
7
vulnerability VCID-kxdb-aa4z-qqbu
8
vulnerability VCID-pgh9-tvw4-23cz
9
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17
aliases GHSA-w37m-7fhw-fmv9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2q2t-61xt-u3ax
1
url VCID-2qqn-59dj-23e3
vulnerability_id VCID-2qqn-59dj-23e3
summary next.js: Next.js: null origin can bypass dev HMR websocket CSRF checks
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27977.json
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27977.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27977
reference_id
reference_type
scores
0
value 6e-05
scoring_system epss
scoring_elements 0.00456
published_at 2026-06-08T12:55:00Z
1
value 6e-05
scoring_system epss
scoring_elements 0.00461
published_at 2026-06-05T12:55:00Z
2
value 6e-05
scoring_system epss
scoring_elements 0.00462
published_at 2026-06-06T12:55:00Z
3
value 6e-05
scoring_system epss
scoring_elements 0.00459
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27977
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:56:08Z/
url https://github.com/vercel/next.js/commit/862f9b9bb41d235e0d8cf44aa811e7fd118cee2a
4
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:56:08Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:56:08Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-jcc7-9wpm-mj36
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27977
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27977
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448514
reference_id 2448514
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448514
8
reference_url https://github.com/advisories/GHSA-jcc7-9wpm-mj36
reference_id GHSA-jcc7-9wpm-mj36
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jcc7-9wpm-mj36
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kxdb-aa4z-qqbu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-27977, GHSA-jcc7-9wpm-mj36
risk_score 1.9
exploitability 0.5
weighted_severity 3.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2qqn-59dj-23e3
2
url VCID-3ruh-95mg-wybh
vulnerability_id VCID-3ruh-95mg-wybh
summary 
Next Vulnerable to Denial of Service with Server Components
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184).

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
1
reference_url https://nextjs.org/blog/security-update-2025-12-11
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nextjs.org/blog/security-update-2025-12-11
2
reference_url https://www.cve.org/CVERecord?id=CVE-2025-55184
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.cve.org/CVERecord?id=CVE-2025-55184
3
reference_url https://github.com/advisories/GHSA-mwv6-3258-q52c
reference_id GHSA-mwv6-3258-q52c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mwv6-3258-q52c
4
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
reference_id GHSA-mwv6-3258-q52c
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c
fixed_packages
0
url pkg:npm/next@16.0.9
purl pkg:npm/next@16.0.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2qqn-59dj-23e3
1
vulnerability VCID-38m6-9vq5-a7a7
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-753e-dm2r-sybh
4
vulnerability VCID-d59z-sntr-uuak
5
vulnerability VCID-eqhy-dum5-yqef
6
vulnerability VCID-ffry-2c7p-vyhp
7
vulnerability VCID-kxdb-aa4z-qqbu
8
vulnerability VCID-pgh9-tvw4-23cz
9
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9
1
url pkg:npm/next@16.1.0-canary.17
purl pkg:npm/next@16.1.0-canary.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2qqn-59dj-23e3
1
vulnerability VCID-38m6-9vq5-a7a7
2
vulnerability VCID-3rx6-y94b-27ep
3
vulnerability VCID-753e-dm2r-sybh
4
vulnerability VCID-d59z-sntr-uuak
5
vulnerability VCID-eqhy-dum5-yqef
6
vulnerability VCID-ffry-2c7p-vyhp
7
vulnerability VCID-kxdb-aa4z-qqbu
8
vulnerability VCID-pgh9-tvw4-23cz
9
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17
aliases GHSA-mwv6-3258-q52c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3ruh-95mg-wybh
3
url VCID-3rx6-y94b-27ep
vulnerability_id VCID-3rx6-y94b-27ep
summary 
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg).

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
1
reference_url https://vercel.com/changelog/summary-of-cve-2026-23864
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://vercel.com/changelog/summary-of-cve-2026-23864
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
reference_id CVE-2026-23864
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23864
3
reference_url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
reference_id GHSA-83fc-fqcc-2hmg
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg
4
reference_url https://github.com/advisories/GHSA-h25m-26qc-wcjf
reference_id GHSA-h25m-26qc-wcjf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h25m-26qc-wcjf
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf
reference_id GHSA-h25m-26qc-wcjf
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf
fixed_packages
0
url pkg:npm/next@16.0.11
purl pkg:npm/next@16.0.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2qqn-59dj-23e3
1
vulnerability VCID-753e-dm2r-sybh
2
vulnerability VCID-d59z-sntr-uuak
3
vulnerability VCID-eqhy-dum5-yqef
4
vulnerability VCID-ffry-2c7p-vyhp
5
vulnerability VCID-kxdb-aa4z-qqbu
6
vulnerability VCID-pgh9-tvw4-23cz
7
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.11
1
url pkg:npm/next@16.1.5
purl pkg:npm/next@16.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2qqn-59dj-23e3
1
vulnerability VCID-753e-dm2r-sybh
2
vulnerability VCID-eqhy-dum5-yqef
3
vulnerability VCID-ffry-2c7p-vyhp
4
vulnerability VCID-kxdb-aa4z-qqbu
5
vulnerability VCID-pgh9-tvw4-23cz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5
aliases GHSA-h25m-26qc-wcjf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3rx6-y94b-27ep
4
url VCID-753e-dm2r-sybh
vulnerability_id VCID-753e-dm2r-sybh
summary next.js: Next.js: Unbounded next/image disk cache growth can exhaust storage
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27980.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27980
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.06824
published_at 2026-06-08T12:55:00Z
1
value 0.00023
scoring_system epss
scoring_elements 0.06871
published_at 2026-06-05T12:55:00Z
2
value 0.00023
scoring_system epss
scoring_elements 0.06875
published_at 2026-06-06T12:55:00Z
3
value 0.00023
scoring_system epss
scoring_elements 0.0686
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27980
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/
url https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd
4
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:50:06Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27980
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27980
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448509
reference_id 2448509
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448509
8
reference_url https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
reference_id GHSA-3x4c-7xq6-9pq8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3x4c-7xq6-9pq8
9
reference_url https://access.redhat.com/errata/RHSA-2026:13571
reference_id RHSA-2026:13571
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:13571
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kxdb-aa4z-qqbu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-27980, GHSA-3x4c-7xq6-9pq8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-753e-dm2r-sybh
5
url VCID-d59z-sntr-uuak
vulnerability_id VCID-d59z-sntr-uuak
summary 
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59472.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59472.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59472
reference_id
reference_type
scores
0
value 0.0015
scoring_system epss
scoring_elements 0.35233
published_at 2026-06-08T12:55:00Z
1
value 0.0015
scoring_system epss
scoring_elements 0.35299
published_at 2026-06-05T12:55:00Z
2
value 0.0015
scoring_system epss
scoring_elements 0.35309
published_at 2026-06-06T12:55:00Z
3
value 0.0015
scoring_system epss
scoring_elements 0.35273
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59472
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433092
reference_id 2433092
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433092
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59472
reference_id CVE-2025-59472
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59472
6
reference_url https://github.com/advisories/GHSA-5f7q-jpqc-wp7h
reference_id GHSA-5f7q-jpqc-wp7h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5f7q-jpqc-wp7h
7
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
reference_id GHSA-5f7q-jpqc-wp7h
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:52:42Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h
fixed_packages
0
url pkg:npm/next@16.1.5
purl pkg:npm/next@16.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2qqn-59dj-23e3
1
vulnerability VCID-753e-dm2r-sybh
2
vulnerability VCID-eqhy-dum5-yqef
3
vulnerability VCID-ffry-2c7p-vyhp
4
vulnerability VCID-kxdb-aa4z-qqbu
5
vulnerability VCID-pgh9-tvw4-23cz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5
aliases CVE-2025-59472, GHSA-5f7q-jpqc-wp7h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d59z-sntr-uuak
6
url VCID-eqhy-dum5-yqef
vulnerability_id VCID-eqhy-dum5-yqef
summary next.js: Next.js: null origin can bypass Server Actions CSRF checks
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27978.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27978.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27978
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.01026
published_at 2026-06-08T12:55:00Z
1
value 9e-05
scoring_system epss
scoring_elements 0.0103
published_at 2026-06-06T12:55:00Z
2
value 9e-05
scoring_system epss
scoring_elements 0.01031
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27978
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:47:56Z/
url https://github.com/vercel/next.js/commit/a27a11d78e748a8c7ccfd14b7759ad2b9bf097d8
4
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:47:56Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:47:56Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-mq59-m269-xvcx
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27978
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27978
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448513
reference_id 2448513
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448513
8
reference_url https://github.com/advisories/GHSA-mq59-m269-xvcx
reference_id GHSA-mq59-m269-xvcx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mq59-m269-xvcx
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kxdb-aa4z-qqbu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-27978, GHSA-mq59-m269-xvcx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eqhy-dum5-yqef
7
url VCID-ffry-2c7p-vyhp
vulnerability_id VCID-ffry-2c7p-vyhp
summary next.js: Next.js: HTTP request smuggling in rewrites
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29057.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-29057
reference_id
reference_type
scores
0
value 0.00031
scoring_system epss
scoring_elements 0.09322
published_at 2026-06-08T12:55:00Z
1
value 0.00031
scoring_system epss
scoring_elements 0.09377
published_at 2026-06-05T12:55:00Z
2
value 0.00031
scoring_system epss
scoring_elements 0.09397
published_at 2026-06-06T12:55:00Z
3
value 0.00031
scoring_system epss
scoring_elements 0.09382
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-29057
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/commit/dc98c04f376c6a1df76ec3e0a2d07edf4abdabd6
4
reference_url https://github.com/vercel/next.js/releases/tag/v15.5.13
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/releases/tag/v15.5.13
5
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
6
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:47:14Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-ggv3-7p47-pfv8
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-29057
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-29057
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448515
reference_id 2448515
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448515
9
reference_url https://github.com/advisories/GHSA-ggv3-7p47-pfv8
reference_id GHSA-ggv3-7p47-pfv8
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ggv3-7p47-pfv8
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kxdb-aa4z-qqbu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-29057, GHSA-ggv3-7p47-pfv8
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ffry-2c7p-vyhp
8
url VCID-k1q6-b8t3-hqb6
vulnerability_id VCID-k1q6-b8t3-hqb6
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55182.json
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55182.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-55182
reference_id
reference_type
scores
0
value 0.83197
scoring_system epss
scoring_elements 0.99283
published_at 2026-06-07T12:55:00Z
1
value 0.83197
scoring_system epss
scoring_elements 0.99284
published_at 2026-06-08T12:55:00Z
2
value 0.84489
scoring_system epss
scoring_elements 0.99345
published_at 2026-06-06T12:55:00Z
3
value 0.84541
scoring_system epss
scoring_elements 0.99347
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-55182
2
reference_url https://github.com/facebook/react
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react
3
reference_url https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/commit/7dc903cd29dac55efb4424853fd0442fef3a8700
4
reference_url https://github.com/facebook/react/pull/35277
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/pull/35277
5
reference_url https://github.com/facebook/react/releases/tag/v19.0.1
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/releases/tag/v19.0.1
6
reference_url https://github.com/facebook/react/releases/tag/v19.1.2
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/releases/tag/v19.1.2
7
reference_url https://github.com/facebook/react/releases/tag/v19.2.1
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/releases/tag/v19.2.1
8
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
9
reference_url https://news.ycombinator.com/item?id=46136026
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://news.ycombinator.com/item?id=46136026
10
reference_url https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
reference_id
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-12-06T04:55:43Z/
url https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
11
reference_url http://www.openwall.com/lists/oss-security/2025/12/03/4
reference_id
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/12/03/4
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2418613
reference_id 2418613
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2418613
13
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52506.py
reference_id CVE-2025-55182
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52506.py
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55182
reference_id CVE-2025-55182
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-55182
15
reference_url https://www.facebook.com/security/advisories/cve-2025-55182
reference_id CVE-2025-55182
reference_type
scores
0
value 10
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Act
scoring_system ssvc
scoring_elements SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-12-06T04:55:43Z/
url https://www.facebook.com/security/advisories/cve-2025-55182
16
reference_url https://github.com/ejpir/CVE-2025-55182-poc
reference_id CVE-2025-55182-POC
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/ejpir/CVE-2025-55182-poc
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-66478
reference_id CVE-2025-66478
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-66478
18
reference_url https://github.com/advisories/GHSA-9qr9-h5gf-34mp
reference_id GHSA-9qr9-h5gf-34mp
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9qr9-h5gf-34mp
19
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
reference_id GHSA-9qr9-h5gf-34mp
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp
20
reference_url https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp
reference_id GHSA-fmh4-wr37-44fp
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp
21
reference_url https://github.com/advisories/GHSA-fv66-9v8q-g76r
reference_id GHSA-fv66-9v8q-g76r
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fv66-9v8q-g76r
22
reference_url https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
reference_id GHSA-fv66-9v8q-g76r
reference_type
scores
0
value 10.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r
fixed_packages
0
url pkg:npm/next@16.0.7
purl pkg:npm/next@16.0.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2q2t-61xt-u3ax
1
vulnerability VCID-2qqn-59dj-23e3
2
vulnerability VCID-3ruh-95mg-wybh
3
vulnerability VCID-3rx6-y94b-27ep
4
vulnerability VCID-753e-dm2r-sybh
5
vulnerability VCID-d59z-sntr-uuak
6
vulnerability VCID-eqhy-dum5-yqef
7
vulnerability VCID-ffry-2c7p-vyhp
8
vulnerability VCID-kxdb-aa4z-qqbu
9
vulnerability VCID-pgh9-tvw4-23cz
10
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.7
1
url pkg:npm/next@16.1.0-canary.0
purl pkg:npm/next@16.1.0-canary.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2q2t-61xt-u3ax
1
vulnerability VCID-2qqn-59dj-23e3
2
vulnerability VCID-3ruh-95mg-wybh
3
vulnerability VCID-3rx6-y94b-27ep
4
vulnerability VCID-753e-dm2r-sybh
5
vulnerability VCID-d59z-sntr-uuak
6
vulnerability VCID-eqhy-dum5-yqef
7
vulnerability VCID-ffry-2c7p-vyhp
8
vulnerability VCID-kxdb-aa4z-qqbu
9
vulnerability VCID-pgh9-tvw4-23cz
10
vulnerability VCID-vqxd-ebjg-c3cw
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.0
aliases CVE-2025-55182, CVE-2025-66478, GHSA-9qr9-h5gf-34mp, GHSA-fv66-9v8q-g76r
risk_score 10.0
exploitability 2.0
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k1q6-b8t3-hqb6
9
url VCID-kxdb-aa4z-qqbu
vulnerability_id VCID-kxdb-aa4z-qqbu
summary 
Next.js has a Denial of Service with Server Components
A vulnerability affects certain React Server Components packages for versions 19.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23869](https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg). You can read more about this advisory our [this changelog](https://vercel.com/changelog/summary-of-cve-2026-23869).

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage. This can result in denial of service in unpatched environments.
references
0
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
1
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/security/advisories/GHSA-q4gf-8mx6-v5v3
2
reference_url https://vercel.com/changelog/summary-of-cve-2026-23869
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://vercel.com/changelog/summary-of-cve-2026-23869
3
reference_url https://github.com/advisories/GHSA-q4gf-8mx6-v5v3
reference_id GHSA-q4gf-8mx6-v5v3
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q4gf-8mx6-v5v3
fixed_packages
0
url pkg:npm/next@16.2.3
purl pkg:npm/next@16.2.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.2.3
aliases GHSA-q4gf-8mx6-v5v3
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kxdb-aa4z-qqbu
10
url VCID-pgh9-tvw4-23cz
vulnerability_id VCID-pgh9-tvw4-23cz
summary next.js: Next.js: Unbounded postponed resume buffering can lead to DoS
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27979.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27979.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27979
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05793
published_at 2026-06-08T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05844
published_at 2026-06-05T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05835
published_at 2026-06-06T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05837
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27979
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:51:23Z/
url https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f1
4
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.7
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:51:23Z/
url https://github.com/vercel/next.js/releases/tag/v16.1.7
5
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T19:51:23Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27979
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27979
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2448512
reference_id 2448512
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2448512
8
reference_url https://github.com/advisories/GHSA-h27x-g6w4-24gq
reference_id GHSA-h27x-g6w4-24gq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h27x-g6w4-24gq
fixed_packages
0
url pkg:npm/next@16.1.7
purl pkg:npm/next@16.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kxdb-aa4z-qqbu
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.7
aliases CVE-2026-27979, GHSA-h27x-g6w4-24gq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pgh9-tvw4-23cz
11
url VCID-vqxd-ebjg-c3cw
vulnerability_id VCID-vqxd-ebjg-c3cw
summary 
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
A DoS vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59471.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59471
reference_id
reference_type
scores
0
value 0.00041
scoring_system epss
scoring_elements 0.12808
published_at 2026-06-08T12:55:00Z
1
value 0.00041
scoring_system epss
scoring_elements 0.12928
published_at 2026-06-05T12:55:00Z
2
value 0.00041
scoring_system epss
scoring_elements 0.12931
published_at 2026-06-06T12:55:00Z
3
value 0.00041
scoring_system epss
scoring_elements 0.12893
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59471
2
reference_url https://github.com/vercel/next.js
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js
3
reference_url https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c
4
reference_url https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec
5
reference_url https://github.com/vercel/next.js/releases/tag/v15.5.10
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/releases/tag/v15.5.10
6
reference_url https://github.com/vercel/next.js/releases/tag/v16.1.5
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vercel/next.js/releases/tag/v16.1.5
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2433094
reference_id 2433094
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2433094
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59471
reference_id CVE-2025-59471
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59471
9
reference_url https://github.com/advisories/GHSA-9g9p-9gw9-jx7f
reference_id GHSA-9g9p-9gw9-jx7f
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9g9p-9gw9-jx7f
10
reference_url https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
reference_id GHSA-9g9p-9gw9-jx7f
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T14:54:47Z/
url https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f
fixed_packages
0
url pkg:npm/next@16.1.5
purl pkg:npm/next@16.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2qqn-59dj-23e3
1
vulnerability VCID-753e-dm2r-sybh
2
vulnerability VCID-eqhy-dum5-yqef
3
vulnerability VCID-ffry-2c7p-vyhp
4
vulnerability VCID-kxdb-aa4z-qqbu
5
vulnerability VCID-pgh9-tvw4-23cz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.5
aliases CVE-2025-59471, GHSA-9g9p-9gw9-jx7f
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vqxd-ebjg-c3cw
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.2-canary.23