GHSA-C4J6-FC7J-M34R Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

Impact Self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or...

CVE-2026-27978

Next.js (React framework) vulnerability CVE-2026-27978: in versions 16.0.1 up to 16.1.7, origin: null was treated as missing during Server Action CSRF validation, allowing requests from opaque contexts (e.g., sandboxed iframes) to bypass origin verification and potentially trigger state-changing ...

Exploit for Deserialization of Untrusted Data in Facebook React

Node.js RCE Mitigation: DevOps as the Last Line of Defense Th...

Exploit for Deserialization of Untrusted Data in Facebook React

REACT2SHELL 🎯 Quick Overview What is this? This tool is...

EUVD-2025-124757

Malicious code in mongoose-nextjs-tailwindcss-xml npm...

CVE-2025-57822 Next.js Improper Middleware Redirect Handling Leads to SSRF

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has...

nextjs-auth0 安全漏洞

nextjs-auth0 is an Auth0 open source Next.js SDK for logging in using Auth0. A security vulnerability exists in nextjs-auth0 versions 4.0.1 through 4.6.0 and earlier, which stems from a missing Cache-Control header that could result in session cookies being cached by a CDN...