Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-2q2t-61xt-u3ax

Summary

Next Server Actions Source Code Exposure
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183).

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of [Server Functions](https://react.dev/reference/rsc/server-functions). This could reveal business logic, but would not expose secrets unless they were hardcoded directly into [Server Function](https://react.dev/reference/rsc/server-functions) code.

Aliases

alias	GHSA-w37m-7fhw-fmv9

Fixed_packages

url pkg:npm/next@15.0.6

purl pkg:npm/next@15.0.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38m6-9vq5-a7a7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.6

url pkg:npm/next@15.1.10

purl pkg:npm/next@15.1.10

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38m6-9vq5-a7a7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.10

url pkg:npm/next@15.2.7

purl pkg:npm/next@15.2.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38m6-9vq5-a7a7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.7

url pkg:npm/next@15.3.7

purl pkg:npm/next@15.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38m6-9vq5-a7a7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.7

url pkg:npm/next@15.4.9

purl pkg:npm/next@15.4.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38m6-9vq5-a7a7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.9

url pkg:npm/next@15.5.8

purl pkg:npm/next@15.5.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38m6-9vq5-a7a7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.8

url pkg:npm/next@15.6.0-canary.59

purl pkg:npm/next@15.6.0-canary.59

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38m6-9vq5-a7a7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.59

url pkg:npm/next@16.0.9

purl pkg:npm/next@16.0.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38m6-9vq5-a7a7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.9

url pkg:npm/next@16.1.0-canary.17

purl pkg:npm/next@16.1.0-canary.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-38m6-9vq5-a7a7

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.17

Affected_packages

url pkg:npm/next@15.0.0-canary.0

purl pkg:npm/next@15.0.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-d59z-sntr-uuak

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.0.0-canary.0

url pkg:npm/next@15.1.1-canary.0

purl pkg:npm/next@15.1.1-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-d59z-sntr-uuak

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.1.1-canary.0

url pkg:npm/next@15.2.0-canary.0

purl pkg:npm/next@15.2.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-d59z-sntr-uuak

vulnerability	VCID-k1q6-b8t3-hqb6

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.2.0-canary.0

url pkg:npm/next@15.3.0-canary.0

purl pkg:npm/next@15.3.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-d59z-sntr-uuak

vulnerability	VCID-k1q6-b8t3-hqb6

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.3.0-canary.0

url pkg:npm/next@15.4.0-canary.0

purl pkg:npm/next@15.4.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-d59z-sntr-uuak

vulnerability	VCID-k1q6-b8t3-hqb6

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.4.0-canary.0

url pkg:npm/next@15.5.1-canary.0

purl pkg:npm/next@15.5.1-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-d59z-sntr-uuak

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.5.1-canary.0

url pkg:npm/next@15.6.0-canary.0

purl pkg:npm/next@15.6.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-d59z-sntr-uuak

vulnerability	VCID-vqxd-ebjg-c3cw

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@15.6.0-canary.0

url pkg:npm/next@16.0.0-beta.0

purl pkg:npm/next@16.0.0-beta.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

vulnerability	VCID-d59z-sntr-uuak

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.0.0-beta.0

url pkg:npm/next@16.1.0-canary.0

purl pkg:npm/next@16.1.0-canary.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2q2t-61xt-u3ax

vulnerability	VCID-3ruh-95mg-wybh

vulnerability	VCID-3rx6-y94b-27ep

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/next@16.1.0-canary.0

References

reference_url	https://github.com/vercel/next.js
reference_id
reference_type
scores
url	https://github.com/vercel/next.js

reference_url	https://nextjs.org/blog/security-update-2025-12-11
reference_id
reference_type
scores
url	https://nextjs.org/blog/security-update-2025-12-11

reference_url	https://www.cve.org/CVERecord?id=CVE-2025-55183
reference_id
reference_type
scores
url	https://www.cve.org/CVERecord?id=CVE-2025-55183

reference_url	https://github.com/advisories/GHSA-w37m-7fhw-fmv9
reference_id	GHSA-w37m-7fhw-fmv9
reference_type
scores
url	https://github.com/advisories/GHSA-w37m-7fhw-fmv9

reference_url	https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9
reference_id	GHSA-w37m-7fhw-fmv9
reference_type
scores
url	https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9

Weaknesses

cwe_id	1395
name	Dependency on Vulnerable Third-Party Component
description	The product has a dependency on a third-party component that contains one or more known vulnerabilities.

cwe_id	497
name	Exposure of Sensitive System Information to an Unauthorized Control Sphere
description	The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

cwe_id	502
name	Deserialization of Untrusted Data
description	The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2q2t-61xt-u3ax

Vulnerability Instance