CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30218 – Next.js may leak x-middleware-subrequest-id to external hosts
https://notcve.org/view.php?id=CVE-2025-30218
02 Apr 2025 — Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15... • https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.4EPSS: 84%CPEs: 3EXPL: 60CVE-2025-29927 – Authorization Bypass in Next.js Middleware
https://notcve.org/view.php?id=CVE-2025-29927
21 Mar 2025 — Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3. • https://packetstorm.news/files/id/189975 • CWE-285: Improper Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56332 – Next.js Vulnerable to Denial of Service (DoS) with Server Actions
https://notcve.org/view.php?id=CVE-2024-56332
03 Jan 2025 — Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle ... • https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 40%CPEs: 1EXPL: 0CVE-2024-51479 – Authorization bypass in Next.js
https://notcve.org/view.php?id=CVE-2024-51479
17 Dec 2024 — Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application... • https://github.com/vercel/next.js/releases/tag/v14.2.15 • CWE-285: Improper Authorization •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47831 – Next.js image optimization has Denial of Service condition
https://notcve.org/view.php?id=CVE-2024-47831
14 Oct 2024 — Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was f... • https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a • CWE-674: Uncontrolled Recursion •
CVSS: 7.8EPSS: 48%CPEs: 2EXPL: 2CVE-2024-46982 – Cache Poisoning in next.js
https://notcve.org/view.php?id=CVE-2024-46982
17 Sep 2024 — Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following ... • https://github.com/CodePontiff/next_js_poisoning • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39693 – Next.js Denial of Service (DoS) condition
https://notcve.org/view.php?id=CVE-2024-39693
10 Jul 2024 — Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later. Next.js es un framework de React. Se identificó una condición de denegación de servicio (DoS) en Next.js. • https://github.com/vercel/next.js/security/advisories/GHSA-fq54-2j52-jc42 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 70%CPEs: 1EXPL: 3CVE-2024-34351 – Next.js Server-Side Request Forgery in Server Actions
https://notcve.org/view.php?id=CVE-2024-34351
09 May 2024 — Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the... • https://github.com/Voorivex/CVE-2024-34351 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 3%CPEs: 1EXPL: 0CVE-2024-34350 – Next.js Vulnerable to HTTP Request Smuggling
https://notcve.org/view.php?id=CVE-2024-34350
09 May 2024 — Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-... • https://github.com/vercel/next.js/security/advisories/GHSA-77r5-gw3j-2mpf • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24828 – Local Privilege Escalation in execuatables bundled by pkg
https://notcve.org/view.php?id=CVE-2024-24828
09 Feb 2024 — pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. • https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54 • CWE-276: Incorrect Default Permissions •