Next.js Security Vulnerabilities and Issues — Next.js CVE List | Vulners.com

Lucene search

K

VercelNext.js

7 matches found

CVE•added 2025/03/21 3:15 p.m.•480 views

CVE-2025-29927

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a ...

9.1CVSS6.9AI score0.93601EPSS

CVE•added 2025/01/03 9:15 p.m.•282 views

CVE-2024-56332

Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging u...

5.3CVSS5.4AI score0.00289EPSS

CVE•added 2025/05/30 4:15 a.m.•68 views

CVE-2025-48068

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects loca...

2.3CVSS4.5AI score0.00027EPSS

CVE•added 2025/04/02 10:15 p.m.•46 views

CVE-2025-30218

Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as...

6.3CVSS7AI score0.93601EPSS

CVE•added 2025/05/14 11:15 p.m.•42 views

CVE-2025-32421

Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML. This ...

3.7CVSS6.8AI score0.0003EPSS

CVE•added 2025/07/03 9:15 p.m.•21 views

CVE-2025-49005

Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payloa...

3.7CVSS6.3AI score0.00041EPSS

CVE•added 2025/07/03 9:15 p.m.•21 views

CVE-2025-49826

Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this is...

7.5CVSS6.5AI score0.00017EPSS