103 matches found
Next.js is vulnerable to RCE in React flight protocol
A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182. Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js:...
Next.js Framework React Server Components Remote Code Execution (CVE-2025-55182)
The Next.js Framework on the remote host is affected by a remote code execution vulnerability: - A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel,...
Security Bulletin: IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM includes a component with known vulnerabilities (CVE-2025-29927 & CVE-2025-48068)
Summary The product includes a vulnerable component e.g., framework library that may be identified and exploited with automated tools. IBM Security QRadar Network Threat Analytics app for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2025-29927 DESCRIPTION:...
EUVD-2025-16359
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2025-48068
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may...
GHSA-R2FC-CCR8-96C4 Next.js has a Cache poisoning vulnerability due to omission of the Vary header
Summary A cache poisoning issue in Next.js App Router =15.3.0 and 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3. Users on affected versions should upgrade...
VulnCheck KEV: CVE-2024-46982
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router this does not affect the app router. When this crafted request is sent it could coerce...
CVE-2025-48068
A flaw was found in Next.js. This vulnerability allows limited source code exposure via visiting a malicious webpage while the development server is running with the App Router enabled. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the...
CVE-2025-48068
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects...
CVE-2025-48068
CVE-2025-48068 affects Next.js up to versions before 14.2.30 and before 15.2.2, where the dev server with App Router enabled could expose limited source code when a user visits a malicious page while npm run dev is active. The issue is restricted to local development environments and has been pat...
CVE-2025-48068 Information exposure in Next.js dev server due to lack of origin verification
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects...
Next.js 安全漏洞
Next.js is a React framework open-sourced by Vercel. A security vulnerability exists in versions of Next.js prior to 13.0 through 15.2.2, which stems from a possible source code leak when the App Router is enabled on the development server...
GHSA-3H52-269P-CP9R Information exposure in Next.js dev server due to lack of origin verification
Summary A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a...
Information exposure in Next.js dev server due to lack of origin verification
Summary A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a...
PT-2025-23134 · Next.Js · Next.Js
Name of the Vulnerable Software and Affected Versions: Next.js versions 13.0 through 15.2.2 Description: Next.js is a React framework for building full-stack web applications. In affected versions, Next.js may have allowed limited source code exposure when the dev server was running with the App...
CVE-2024-23841
apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input e.g. by redirecting...
Malicious code in nextjs-app-router (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1be3a353ab6fd3d56d1698543312d483fa52ee3aa1fbc09c0d9efbf8c6b99e33 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2024-12010 Malicious code in nextjs-app-router (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1be3a353ab6fd3d56d1698543312d483fa52ee3aa1fbc09c0d9efbf8c6b99e33 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2024-23841 XSS in @apollo/experimental-nextjs-app-support
apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input e.g. by redirecting...
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Impact Unauthorized access or privilege escalation due to a logic flaw in auth in the App Router or getAuth in the Pages Router. Affected Versions All applications that that use @clerk/nextjs versions in the range of = 4.7.0, 4.29.3 in a Next.js backend to authenticate API Routes, App Router, or...