Vercel Next.Js vulnerabilities
47 known vulnerabilities affecting vercel/next.js.
Total CVEs
47
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
4
Severity breakdown
CRITICAL2HIGH24MEDIUM18LOW3
Vulnerabilities
Page 1 of 3
CVE-2025-55182P1CRITICALCVSS 10.0KEVPoCRansomware≥ 15.0.0, < 15.0.5≥ 15.1.0, < 15.1.9+8 more2025-12-03
CVE-2025-55182 [CRITICAL] CWE-502 CVE-2025-55182: A pre-authentication remote code execution vulnerability exists in React Server Components versions
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints
nvd
CVE-2025-29927P1CRITICALCVSS 9.1ExploitedPoC≥ 11.1.4, < 12.3.5≥ 13.0.0, < 13.5.9+6 more2025-03-21
CVE-2025-29927 [CRITICAL] CWE-285 CVE-2025-29927: Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 an
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that y
nvd
CVE-2025-55184P1HIGHCVSS 7.5ExploitedPoC≥ 13.3.0, < 14.2.35≥ 15.0.0, < 15.0.7+8 more2025-12-11
CVE-2025-55184 [HIGH] CWE-502 CVE-2025-55184: A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Fu
nvd
CVE-2024-46982P2HIGHCVSS 7.5ExploitedPoC≥ 13.5.1, < 13.5.7≥ 14.0.0, < 14.2.10+2 more2024-09-17
CVE-2024-46982 [HIGH] CWE-639 CVE-2024-46982: Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP req
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and
nvd
CVE-2026-44578P2HIGHCVSS 8.6PoC≥ 13.4.13, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44578 [HIGH] CWE-918 CVE-2026-44578: Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.1
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external de
nvd
CVE-2025-55183P2MEDIUMCVSS 5.3PoC≥ 15.0.0, < 15.0.7≥ 15.1.0, < 15.1.11+7 more2025-12-11
CVE-2025-55183 [MEDIUM] CVE-2025-55183: An information leak vulnerability exists in specific configurations of React Server Components versi
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may uns
nvd
CVE-2025-57822P2HIGHCVSS 8.2PoCfixed in 14.2.32≥ 15.0.0, < 15.4.7+1 more2025-08-29
CVE-2025-57822 [HIGH] CWE-918 CVE-2025-57822: Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. Al
nvd
CVE-2024-34351P2HIGHCVSS 7.5PoC≥ 13.4.0, < 14.1.1v>= 13.4.0, < 14.1.12024-05-14
CVE-2024-34351 [HIGH] CWE-918 CVE-2024-34351: Next.js is a React framework that can provide building blocks to create web applications. A Server-S
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js applicati
nvd
CVE-2021-43803P3HIGHCVSS 7.5≥ 11.1.0, < 11.1.3≥ 12.0.0, < 12.0.5+2 more2021-12-10
CVE-2021-43803 [HIGH] CWE-20 CVE-2021-43803: Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with
nvd
CVE-2025-67779P3HIGHCVSS 7.5≥ 13.3.0, < 14.2.35≥ 15.0.0, < 15.0.7+8 more2025-12-12
CVE-2025-67779 [HIGH] CVE-2025-67779: It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and do
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop t
nvd
CVE-2026-44574P3HIGHCVSS 8.1≥ 15.4.0, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44574 [HIGH] CWE-288 CVE-2026-44574: Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that rely on middleware to protect dynamic routes can be vulnerable to authorization bypass. In affected deployments, specially crafted query parameters can alter the dynamic route value seen by the page while leaving the visib
nvd
CVE-2026-44575P3HIGHCVSS 7.5≥ 15.2.0, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44575 [HIGH] CWE-288 CVE-2026-44575: Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc
nvd
CVE-2024-51479P3HIGHCVSS 7.5≥ 9.5.5, < 14.2.15v>= 9.5.5, < 14.2.152024-12-17
CVE-2024-51479 [HIGH] CWE-285 CVE-2024-51479: Next.js is a React framework for building full-stack web applications. In affected versions if a Nex
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affect
nvd
CVE-2026-44573P3HIGHCVSS 7.5≥ 12.2.0, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44573 [HIGH] CWE-863 CVE-2026-44573: Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less /_next/data//.json requests. In affected configurations, middleware d
nvd
CVE-2024-34350P3HIGHCVSS 7.5≥ 13.4.0, < 13.5.1v>= 13.4.0, < 13.5.12024-05-14
CVE-2024-34350 [HIGH] CWE-444 CVE-2024-34350: Next.js is a React framework that can provide building blocks to create web applications. Prior to 1
Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in
nvd
CVE-2026-44579P3HIGHCVSS 7.5≥ 15.0.0, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44579 [HIGH] CWE-770 CVE-2026-44579: Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 1
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body han
nvd
CVE-2026-45109P3HIGHCVSS 7.5≥ 15.2.0, < 15.5.18≥ 16.0.0, < 16.2.62026-05-13
CVE-2026-45109 [HIGH] CVE-2026-45109: Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.
nvd
CVE-2026-27979P3HIGHCVSS 7.5≥ 16.0.1, < 16.1.7v>= 16.0.1, < 16.1.72026-03-18
CVE-2026-27979 [HIGH] CWE-770 CVE-2026-27979: Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 an
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected
nvd
CVE-2022-23646P3HIGHCVSS 7.5≥ 10.0.0, < 12.1.0v>= 10.0.0, < 12.1.02022-02-17
CVE-2022-23646 [HIGH] CWE-451 CVE-2022-23646: Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is v
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If
nvd
CVE-2026-27980P3HIGHCVSS 7.5≥ 10.0.0, < 16.1.7v>= 10.0.0, < 16.1.72026-03-18
CVE-2026-27980 [HIGH] CWE-400 CVE-2026-27980: Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 an
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk s
nvd
1 / 3Next →