CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30218 – Next.js may leak x-middleware-subrequest-id to external hosts
https://notcve.org/view.php?id=CVE-2025-30218
02 Apr 2025 — Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15... • https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.4EPSS: 91%CPEs: 4EXPL: 62CVE-2025-29927 – Authorization Bypass in Next.js Middleware
https://notcve.org/view.php?id=CVE-2025-29927
21 Mar 2025 — Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3. Next.js is a React framework for building full... • https://packetstorm.news/files/id/189975 • CWE-285: Improper Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56332 – Next.js Vulnerable to Denial of Service (DoS) with Server Actions
https://notcve.org/view.php?id=CVE-2024-56332
03 Jan 2025 — Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle ... • https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9 • CWE-770: Allocation of Resources Without Limits or Throttling •