Next.js Framework 12.2.x < 15.5.16 / 16.x < 16.2.5 Information Disclosure

The Next.js Framework on the remote host is affected by an information disclosure vulnerability: - Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /next/data//.json requests...

Next.js Framework 9.5.x < 15.5.3 / 16.x < 16.1.7 HTTP Request Smuggling (GHSA-ggv3-7p47-pfv8)

The Next.js Framework on the remote host is affected by an HTTP request smuggling vulnerability: - A vulnerability exists in Next.js proxy rewrites where a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. An...

CVE-2026-23864: React and Next.js Denial of Service via Memory Exhaustion

...

Exploit for Deserialization of Untrusted Data in Facebook React

🔍 Next.js Security Testing Tool Professiona...

Next.js Framework React Server Components Source Code Exposure (CVE-2025-55183)

The Next.js Framework on the remote host is affected by a source code exposure vulnerability: - An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages:...

React2Shell (CVE-2025-55182) - Critical unauthenticated RCE affecting React Server Components

Overview Update 1: As of 4:30 PM Eastern, December 4, 2025, Rapid7 has validated that a working weaponizedproof-of-concept exploit ,shared by researcher@maple3142 , is now publicly available. Update 2: On December 5, 2025,Lachlan Davidson who discovered the vulnerability has also published...

EUVD-2025-19910

Malicious code in bioql PyPI...

EUVD-2025-9629

Malicious code in bioql PyPI...

CVE-2025-49005 Next.js cache poisoning due to omission of Vary header

Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component RSC payloa...

Security Bulletin: IBM Rhapsody Systems Engineering is using next-14.2.15.tgz which is vulnerable to CVE-2024-56332

Summary A security vulnerability was identified in the Next.js package used in our product. We have resolved the issue by updating to a non-vulnerable patched version to ensure the continued security and reliability of our application. Following IBM® Engineering Lifecycle Engineering product is...

CVE-2022-21721

Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-...

Exploit for CVE-2025-29927

CVE-2025-29927 - Next.js Middleware Authorization Bypass PoC...

Vercel Next.js Privilege Bypass Vulnerability

Next.js is Vercel open source a React framework. Vercel Next.js suffers from a privilege bypass vulnerability that stems from the fact that if authorization checking occurs in middleware, an attacker can use the vulnerability to bypass authorization checking...

CVE-2025-29927

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to ...

CVE-2025-29927

CVE‑2025‑29927 affects Next.js before patches: versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. The issue is an authorization bypass that can occur if the check runs in middleware. Fixed in the specified versions; patching to a safe version is recommended. If patching is infeasible, block external r...

CVE-2024-51479 Authorization bypass in Next.js

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For...

CVE-2024-51479 Authorization bypass in Next.js

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For...

CVE-2021-43803

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom...