Lucene search
K

6 matches found

CVE
CVE
added 2023/10/22 12:0 a.m.185 views

CVE-2023-46298

CVE-2023-46298 affects Next.js (pre-13.4.20-canary.13) where a missing cache-control header can allow empty prefetch responses to be cached by a CDN, enabling a denial of service for users accessing the same URL through that CDN. The available documents identify the affected product and the root ...

7.5CVSS7.3AI score0.01284EPSS
CVE
CVE
added 2025/05/14 10:56 p.m.91 views

CVE-2025-32421

Next.js CVE-2025-32421 describes a race-condition in the Pages Router that, under certain misconfigurations, can cause endpoints to serve pageProps data instead of HTML. Affected versions are pre-14.2.24 and pre-15.1.6; patch versions 14.2.24 and 15.1.6 strip the x-now-route-matches header to mit...

3.7CVSS6.8AI score0.00666EPSS
Web
CVE
CVE
added 2025/08/29 9:33 p.m.87 views

CVE-2025-57822

CVE-2025-57822 (Next.js SSRF via next() in self-hosted environments) The connected documents confirm a concrete SSRF vulnerability in Next.js when next() is called without explicitly passing the request object, allowing headers to be forwarded insecurely in self-hosted middleware. Impact is descr...

8.2CVSS6.3AI score0.02328EPSS
CVE
CVE
added 2025/07/03 9:3 p.m.66 views

CVE-2025-49826

CVE-2025-49826 affects Next.js (Next.js versions 15.0.4-canary.51 through, but not including, 15.1.8). The root cause is a cache poisoning flaw that can allow a HTTP 204 response for static pages to be cached and subsequently served to all users, yielding a DoS. The issue does not impact customer...

7.5CVSS6.5AI score0.008EPSS
CVE
CVE
added 2025/08/29 10:0 p.m.66 views

CVE-2025-55173

CVE-2025-55173 is a vulnerability in Next.js Image Optimization: attacker-controlled external image sources could cause content injection, enabling file downloads with arbitrary content/filenames under certain configurations and potentially aiding phishing. Affected versions are Next.js before 14...

4.3CVSS6.5AI score0.00509EPSS
CVE
CVE
added 2025/08/29 10:6 p.m.65 views

CVE-2025-57752

CVE-2025-57752 affects Next.js image optimization API routes. The cache key confusion bug can cause responses that depend on request headers (e.g., Cookie/Authorization) to be cached and served to unauthorized users. Impact: potential exposure of image responses to unintended users. Affected vers...

6.2CVSS6.3AI score0.00325EPSS