Next.js@15.0.0 Security Vulnerabilities and Issues — Next.js@15.0.0 CVE List

Lucene search

VercelNext.js15.0.0

7 matches found

CVE•added 2025/03/21 3:15 p.m.•544 views

CVE-2025-29927

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a ...

9.1CVSS6.9AI score0.92084EPSS

In wildWeb

CVE•added 2025/01/03 9:15 p.m.•342 views

CVE-2024-56332

Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging u...

5.3CVSS5.4AI score0.00646EPSS

CVE•added 2025/05/30 4:15 a.m.•73 views

CVE-2025-48068

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects loca...

4.3CVSS4.5AI score0.00017EPSS

CVE•added 2025/05/14 11:15 p.m.•47 views

CVE-2025-32421

Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML. This ...

3.7CVSS6.8AI score0.00034EPSS

CVE•added 2025/08/29 10:15 p.m.•22 views

CVE-2025-57822

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has...

8.2CVSS6.3AI score0.06179EPSS

CVE•added 2025/08/29 10:15 p.m.•21 views

CVE-2025-55173

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary co...

4.3CVSS6.5AI score0.00083EPSS

CVE•added 2025/08/29 10:15 p.m.•21 views

CVE-2025-57752

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Author...

6.2CVSS6.3AI score0.00016EPSS