CVSS: 7.8EPSS: 1%CPEs: 14EXPL: 1CVE-2023-46298
https://notcve.org/view.php?id=CVE-2023-46298
22 Oct 2023 — Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Next.js anterior a 13.4.20-canary.13 carece de un encabezado de control de caché y, por lo tanto, a veces una CDN puede almacenar en caché respuestas de captación previa vacías, lo que provoca una denegación de servicio a todos los usuarios que solicitan la misma URL a través de esa CDN. • https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2017-20162 – vercel ms index.js parse redos
https://notcve.org/view.php?id=CVE-2017-20162
05 Jan 2023 — A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36046 – Unexpected server crash in Next.js version 12.2.3
https://notcve.org/view.php?id=CVE-2022-36046
31 Aug 2022 — Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server). Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across r... • https://github.com/vercel/next.js/releases/tag/v12.2.4 • CWE-248: Uncaught Exception CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-23646 – Improper CSP in Image Optimization API for Next.js
https://notcve.org/view.php?id=CVE-2022-23646
17 Feb 2022 — Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this ... • https://github.com/vercel/next.js/pull/34075 • CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-21721 – DOS Vulnerability in next.js
https://notcve.org/view.php?id=CVE-2022-21721
28 Jan 2022 — Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, `next@12.0.9`, that mitigates this is... • https://github.com/vercel/next.js/pull/33503 •
CVSS: 7.5EPSS: 1%CPEs: 3EXPL: 0CVE-2021-43803 – Unexpected server crash in Next.js
https://notcve.org/view.php?id=CVE-2021-43803
09 Dec 2021 — Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. • https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39178 – XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0
https://notcve.org/view.php?id=CVE-2021-39178
30 Aug 2021 — Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. Th... • https://github.com/vercel/next.js/releases/tag/v11.1.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2021-37699 – Open Redirect in Next.js versions below 11.1.0
https://notcve.org/view.php?id=CVE-2021-37699
11 Aug 2021 — Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue ha... • https://github.com/vercel/next.js/releases/tag/v11.1.0 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15242 – Open Redirect in Next.js
https://notcve.org/view.php?id=CVE-2020-15242
08 Oct 2020 — Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4. Next.js versiones de posteriores e incluyendo a 9.5.0 y anteriores a 9.5.4, son vulnerables a un redireccionamiento abie... • https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-8315
https://notcve.org/view.php?id=CVE-2015-8315
23 Jan 2017 — The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." El paquete ms en versiones anteriores a 0.7.1 para Node.js permite a atacantes provocar una denegación de servicio (consumo de CPU) a través de una cadena de versión larga, vulnerabilidad también conocida como "denegación de servicio de expresión regular (ReDoS)". • http://www.openwall.com/lists/oss-security/2016/04/20/11 • CWE-1333: Inefficient Regular Expression Complexity •