Vercel Next.Js vulnerabilities
47 known vulnerabilities affecting vercel/next.js.
Total CVEs
47
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
4
Severity breakdown
CRITICAL2HIGH24MEDIUM18LOW3
Vulnerabilities
Page 2 of 3
CVE-2025-59471P3HIGHCVSS 7.5≥ 10.0.0, < 15.5.10≥ 16.0.0, < 16.1.52026-01-26
CVE-2025-59471 [HIGH] CWE-400 CVE-2025-59471: A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatter
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization
nvd
CVE-2025-59472P3HIGHCVSS 7.5≥ 15.0.0, < 15.6.0≥ 16.0.0, < 16.1.5+1 more2026-01-26
CVE-2025-59472 [HIGH] CWE-400 CVE-2025-59472: A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the serv
nvd
CVE-2025-49826P3HIGHCVSS 7.5fixed in 15.1.8v15.0.4+1 more2025-07-03
CVE-2025-49826 [HIGH] CWE-444 CVE-2025-49826: Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.5
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for sta
nvd
CVE-2022-21721P3HIGHCVSS 7.5≥ 12.0.0, < 12.0.92022-01-28
CVE-2022-21721 [HIGH] CVE-2022-21721: Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable c
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar envir
nvd
CVE-2026-29057P3MEDIUMCVSS 6.5≥ 9.5.0, < 15.5.13≥ 16.0.0, < 16.1.7+2 more2026-03-18
CVE-2026-29057 [MEDIUM] CWE-444 CVE-2026-29057: Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This
nvd
CVE-2023-46298P3HIGHCVSS 7.5fixed in 13.4.20v13.4.202023-10-22
CVE-2023-46298 [HIGH] CVE-2023-46298: Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.
nvd
CVE-2024-47831P3HIGHCVSS 7.5≥ 10.0.0, < 14.2.7v>= 10.0.0, < 14.2.72024-10-14
CVE-2024-47831 [HIGH] CWE-674 CVE-2024-47831: Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `image
nvd
CVE-2024-39693P3HIGHCVSS 7.5≥ 13.3.1, < 13.5.0v>= 13.3.1, < 13.5.02024-07-10
CVE-2024-39693 [HIGH] CWE-400 CVE-2024-39693: Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploit
Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later.
nvd
CVE-2026-44577P4MEDIUMCVSS 5.9≥ 10.0.0, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44577 [MEDIUM] CWE-770 CVE-2026-44577: Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large loc
nvd
CVE-2025-57752P4MEDIUMCVSS 6.2fixed in 14.2.31≥ 15.0.0, < 15.4.5+1 more2025-08-29
CVE-2025-57752 [MEDIUM] CWE-524 CVE-2025-57752: Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 an
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cache
nvd
CVE-2025-30218P4MEDIUMCVSS 5.9v12.3.5v13.5.9+2 more2025-04-02
CVE-2025-30218 [MEDIUM] CVE-2025-30218: Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, N
Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a th
nvd
CVE-2026-44572P4MEDIUMCVSS 5.9≥ 12.2.0, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44572 [MEDIUM] CWE-349 CVE-2026-44572: Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard
nvd
CVE-2026-44576P4MEDIUMCVSS 5.4≥ 14.2.0, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44576 [MEDIUM] CWE-436 CVE-2026-44576: Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the origin
nvd
CVE-2026-44580P4MEDIUMCVSS 6.1≥ 13.0.0, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44580 [MEDIUM] CWE-79 CVE-2026-44580: Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, whic
nvd
CVE-2024-56332P4MEDIUMCVSS 5.3≥ 13.0.0, < 13.5.8≥ 14.0.0, < 14.2.21+4 more2025-01-03
CVE-2024-56332 [MEDIUM] CWE-770 CVE-2024-56332: Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 an
Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execu
nvd
CVE-2026-27977P4MEDIUMCVSS 5.4≥ 16.0.1, < 16.1.7v>= 16.0.1, < 16.1.72026-03-18
CVE-2026-27977 [MEDIUM] CWE-1385 CVE-2026-27977: Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 an
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed
nvd
CVE-2021-37699P4MEDIUMCVSS 6.1≥ 10.0.5, ≤ 10.2.0≥ 11.0.0, ≤ 11.0.1+1 more2021-08-12
CVE-2021-37699 [MEDIUM] CWE-601 CVE-2021-37699: Next.js is an open source website development framework to be used with the React library. In affect
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by r
nvd
CVE-2021-39178P4MEDIUMCVSS 6.1≥ 10.0.0, < 11.1.1v>= 10.0.0, < 11.1.12021-08-31
CVE-2021-39178 [MEDIUM] CWE-79 CVE-2021-39178: Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scr
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js
nvd
CVE-2022-36046P4MEDIUMCVSS 5.3v12.2.3v= 12.2.32022-08-31
CVE-2022-36046 [MEDIUM] CWE-248 CVE-2022-36046: Next.js is a React framework that can provide building blocks to create web applications. All of the
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-se
nvd
CVE-2026-44581P4MEDIUMCVSS 4.7≥ 13.4.0, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44581 [MEDIUM] CWE-79 CVE-2026-44581: Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered
nvd