Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/next@16.1.0-canary.0
purl pkg:npm/next@16.1.0-canary.0
Next non-vulnerable version 16.1.0-canary.19
Latest non-vulnerable version 16.2.6
Risk
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-aaqz-vvuv-nkhs
Aliases:
GHSA-h25m-26qc-wcjf
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as [CVE-2026-23864](https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg). A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
16.1.5
Affected by 0 other vulnerabilities.
VCID-n2as-avgp-nbda
Aliases:
GHSA-w37m-7fhw-fmv9
Next Server Actions Source Code Exposure A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55183](https://www.cve.org/CVERecord?id=CVE-2025-55183). A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of [Server Functions](https://react.dev/reference/rsc/server-functions). This could reveal business logic, but would not expose secrets unless they were hardcoded directly into [Server Function](https://react.dev/reference/rsc/server-functions) code.
16.1.0-canary.17
Affected by 1 other vulnerability.
VCID-ufeu-t99r-7ffc
Aliases:
GHSA-mwv6-3258-q52c
Next Vulnerable to Denial of Service with Server Components A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as [CVE-2025-55184](https://www.cve.org/CVERecord?id=CVE-2025-55184). A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.
16.1.0-canary.17
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-29T17:36:48.229087+00:00 GitLab Importer Affected by VCID-aaqz-vvuv-nkhs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/next/GHSA-h25m-26qc-wcjf.yml 38.6.0
2026-05-29T17:36:22.468346+00:00 GitLab Importer Affected by VCID-ufeu-t99r-7ffc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/next/GHSA-mwv6-3258-q52c.yml 38.6.0
2026-05-29T17:36:21.902270+00:00 GitLab Importer Affected by VCID-n2as-avgp-nbda https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/next/GHSA-w37m-7fhw-fmv9.yml 38.6.0
2026-05-29T14:34:41.633493+00:00 GHSA Importer Affected by VCID-aaqz-vvuv-nkhs https://github.com/advisories/GHSA-h25m-26qc-wcjf 38.6.0
2026-05-29T14:34:02.879738+00:00 GHSA Importer Affected by VCID-n2as-avgp-nbda https://github.com/advisories/GHSA-w37m-7fhw-fmv9 38.6.0
2026-05-29T14:34:02.410832+00:00 GHSA Importer Affected by VCID-ufeu-t99r-7ffc https://github.com/advisories/GHSA-mwv6-3258-q52c 38.6.0