Vercel Next.Js vulnerabilities
47 known vulnerabilities affecting vercel/next.js.
Total CVEs
47
CISA KEV
1
actively exploited
Public exploits
8
Exploited in wild
4
Severity breakdown
CRITICAL2HIGH24MEDIUM18LOW3
Vulnerabilities
Page 3 of 3
CVE-2025-55173P4MEDIUMCVSS 4.3fixed in 14.2.31≥ 15.0.0, < 15.4.5+1 more2025-08-29
CVE-2025-55173 [MEDIUM] CWE-20 CVE-2025-55173: Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 an
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. Th
nvd
CVE-2020-15242P4MEDIUMCVSS 6.1≥ 9.5.0, < 9.5.4v>= 9.5.0, <9.5.42020-10-08
CVE-2020-15242 [MEDIUM] CWE-601 CVE-2020-15242: Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths coul
Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted doma
nvd
CVE-2026-27978P4MEDIUMCVSS 4.3≥ 16.0.1, < 16.1.7v>= 16.0.1, < 16.1.72026-03-18
CVE-2026-27978 [MEDIUM] CWE-352 CVE-2026-27978: Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 an
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cro
nvd
CVE-2025-48068P4MEDIUMCVSS 4.3≥ 13.0.0, < 14.2.30≥ 15.0.0, < 15.2.2+2 more2025-05-30
CVE-2025-48068 [MEDIUM] CWE-1385 CVE-2025-48068: Next.js is a React framework for building full-stack web applications. In versions starting from 13.
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to
nvd
CVE-2026-44582P4LOWCVSS 3.7≥ 13.4.6, < 15.5.16≥ 16.0.0, < 16.2.5+2 more2026-05-13
CVE-2026-44582 [LOW] CWE-328 CVE-2026-44582: Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker
nvd
CVE-2025-32421P4LOWCVSS 3.7fixed in 14.2.24≥ 15.0.0, < 15.1.6+1 more2025-05-14
CVE-2025-32421 [LOW] CWE-362 CVE-2025-32421: Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by s
nvd
CVE-2025-49005P4LOWCVSS 3.7≥ 15.3.0, < 15.3.3v>= 15.3.0, < 15.3.32025-07-03
CVE-2025-49005 [LOW] CWE-444 CVE-2025-49005: Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Ve
nvd
← Previous3 / 3