CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2025-7074 – vercel hyper rimraf-standalone.js ignoreMap redos
https://notcve.org/view.php?id=CVE-2025-7074
05 Jul 2025 — A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand/ignoreMap of the file hyper/bin/rimraf-standalone.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/vercel/hyper/issues/8098 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49826 – Next.js DoS vulnerability via cache poisoning
https://notcve.org/view.php?id=CVE-2025-49826
03 Jul 2025 — Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8. • https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49005 – Next.js cache poisoning due to omission of Vary header
https://notcve.org/view.php?id=CVE-2025-49005
03 Jul 2025 — Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cac... • https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48068 – Information exposure in Next.js dev server due to lack of origin verification
https://notcve.org/view.php?id=CVE-2025-48068
30 May 2025 — Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in version 15.2.2. Next.js is a React framework for building full-stack web applications. • https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r • CWE-1385: Missing Origin Validation in WebSockets •
CVSS: 3.7EPSS: 0%CPEs: 2EXPL: 1CVE-2025-32421 – Next.js Race Condition to Cache Poisoning
https://notcve.org/view.php?id=CVE-2025-32421
14 May 2025 — Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform doe... • https://github.com/zeroc00I/CVE-2025-32421 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46332 – Information Disclosure via Flags override link
https://notcve.org/view.php?id=CVE-2025-46332
02 May 2025 — Flags SDK is an open-source feature flags toolkit for Next.js and SvelteKit. Impacted versions include flags from 3.2.0 and prior and @vercel/flags from 3.1.1 and prior as certain circumstances allows a bad actor with detailed knowledge of the vulnerability to list all flags returned by the flags discovery endpoint (.well-known/vercel/flags). This vulnerability allows for information disclosure, where a bad actor could gain access to a list of all feature flags exposed through the flags discovery endpoint, ... • https://github.com/vercel/flags/blob/main/packages/flags/guides/upgrade-to-v4.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30218 – Next.js may leak x-middleware-subrequest-id to external hosts
https://notcve.org/view.php?id=CVE-2025-30218
02 Apr 2025 — Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15... • https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.4EPSS: 93%CPEs: 4EXPL: 109CVE-2025-29927 – Authorization Bypass in Next.js Middleware
https://notcve.org/view.php?id=CVE-2025-29927
21 Mar 2025 — Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3. Next.js is a React framework for building full... • https://packetstorm.news/files/id/189975 • CWE-285: Improper Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56332 – Next.js Vulnerable to Denial of Service (DoS) with Server Actions
https://notcve.org/view.php?id=CVE-2024-56332
03 Jan 2025 — Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle ... • https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 76%CPEs: 1EXPL: 0CVE-2024-51479 – Authorization bypass in Next.js
https://notcve.org/view.php?id=CVE-2024-51479
17 Dec 2024 — Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application... • https://github.com/vercel/next.js/releases/tag/v14.2.15 • CWE-285: Improper Authorization •