next (npm) security advisories

MEDIUM 5.4

npm

CVE-2026-44576

Next.js vulnerable to cache poisoning in React Server Component responses

May 11, 2026

LOW 3.7

npm

CVE-2026-44582

Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting

May 11, 2026

MEDIUM 5.9

npm

CVE-2026-44577

Next.js has a Denial of Service in the Image Optimization API

May 11, 2026

MEDIUM 6.1

npm

CVE-2026-44580

Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

May 11, 2026

MEDIUM 4.7

npm

CVE-2026-44581

Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

May 11, 2026

HIGH 7.5

npm

CVE-2026-44579

Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components

May 11, 2026

HIGH 8.6

npm

CVE-2026-44578

Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

May 11, 2026

LOW 3.7

npm

CVE-2026-44572

Next.js's Middleware / Proxy redirects can be cache-poisoned

May 11, 2026

HIGH 7.5

npm

CVE-2026-44573

Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

May 11, 2026

HIGH 7.5

npm

CVE-2026-44575

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes

May 11, 2026

HIGH 8.1

npm

CVE-2026-44574

Next.js has a Middleware / Proxy bypass through dynamic route parameter injection

May 11, 2026

HIGH 7.5

npm

CVE-2026-45109

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

May 11, 2026

HIGH 7.5

npm

GHSA-8h8q-6873-q5fj

Next.js Vulnerable to Denial of Service with Server Components

May 11, 2026

HIGH 7.5

npm

GHSA-q4gf-8mx6-v5v3

Next.js has a Denial of Service with Server Components

Apr 10, 2026

MEDIUM 5.9

npm

CVE-2025-59472

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

Jan 28, 2026

UNKNOWN

npm

CVE-2026-27977

Next.js: null origin can bypass dev HMR websocket CSRF checks

Mar 17, 2026

UNKNOWN

npm

CVE-2026-27980

Next.js: Unbounded next/image disk cache growth can exhaust storage

Mar 17, 2026

UNKNOWN

npm

CVE-2026-27979

Next.js: Unbounded postponed resume buffering can lead to DoS

Mar 17, 2026

UNKNOWN

npm

CVE-2026-27978

Next.js: null origin can bypass Server Actions CSRF checks

Mar 17, 2026

UNKNOWN

npm

CVE-2026-29057

Next.js: HTTP request smuggling in rewrites

Mar 17, 2026

MEDIUM 4.7

npm

CVE-2020-15242

Open Redirect in Next.js versions

Oct 8, 2020

HIGH 7.5

npm

CVE-2021-43803

Unexpected server crash in Next.js.

Dec 7, 2021

HIGH 7.5

npm

CVE-2021-39178

XSS in Image Optimization API for Next.js

Sep 1, 2021

MEDIUM 6.9

npm

CVE-2021-37699

Open Redirect in Next.js

Aug 12, 2021

CRITICAL 9.1

npm

CVE-2025-29927

Authorization Bypass in Next.js Middleware

Mar 21, 2025

HIGH 7.5

npm

GHSA-h25m-26qc-wcjf

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

Jan 28, 2026

MEDIUM 5.9

npm

CVE-2025-59471

Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

Jan 27, 2026

MEDIUM 5.3

npm

CVE-2024-56332

Next.js Allows a Denial of Service (DoS) with Server Actions

Jan 3, 2025

MEDIUM 4.3

npm

CVE-2025-55173

Next.js Content Injection Vulnerability for Image Optimization

Aug 29, 2025

MEDIUM 6.5

npm

CVE-2025-57822

Next.js Improper Middleware Redirect Handling Leads to SSRF

Aug 29, 2025

HIGH 7.5

npm

GHSA-mwv6-3258-q52c

Next Vulnerable to Denial of Service with Server Components

Dec 11, 2025

HIGH 7.5

npm

CVE-2024-46982

Next.js Cache Poisoning

Sep 17, 2024

CRITICAL 10.0

npm

GHSA-9qr9-h5gf-34mp

Next.js is vulnerable to RCE in React flight protocol

Dec 3, 2025

HIGH 7.5

npm

CVE-2024-34351

Next.js Server-Side Request Forgery in Server Actions

May 9, 2024

MEDIUM 5.9

npm

CVE-2024-47831

Denial of Service condition in Next.js image optimization

Oct 14, 2024

MEDIUM 5.3

npm

GHSA-w37m-7fhw-fmv9

Next Server Actions Source Code Exposure

Dec 11, 2025

MEDIUM 6.2

npm

CVE-2025-57752

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Aug 29, 2025

HIGH 7.5

npm

GHSA-5j59-xgg2-r9c4

Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

Dec 12, 2025

LOW 3.7

npm

CVE-2025-49005

Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Jul 3, 2025

UNKNOWN

npm

CVE-2025-30218

Next.js may leak x-middleware-subrequest-id to external hosts

Apr 2, 2025

MEDIUM 4.4

npm

CVE-2020-5284

Directory Traversal in Next.js

Mar 30, 2020

LOW 3.7

npm

CVE-2025-32421

Next.js Race Condition to Cache Poisoning

May 15, 2025

HIGH 7.5

npm

CVE-2024-51479

Next.js authorization bypass vulnerability

Dec 17, 2024

HIGH 7.5

npm

CVE-2025-49826

Next.JS vulnerability can lead to DoS via cache poisoning

Jul 3, 2025

UNKNOWN

npm

CVE-2025-48068

Information exposure in Next.js dev server due to lack of origin verification

May 28, 2025

HIGH 7.5

npm

CVE-2024-39693

Next.js Denial of Service (DoS) condition

Jul 10, 2024

HIGH 7.5

npm

CVE-2024-34350

Next.js Vulnerable to HTTP Request Smuggling

May 9, 2024

HIGH 7.5

npm

CVE-2017-16877

Next.js Directory Traversal Vulnerability

Dec 5, 2017

UNKNOWN

npm

CVE-2023-46298

Next.js missing cache-control header may lead to CDN caching empty reply

Oct 22, 2023

MEDIUM 5.3

npm

CVE-2022-36046

Unexpected server crash in Next.js

Aug 30, 2022

MEDIUM 5.9

npm

CVE-2022-23646

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Feb 17, 2022

MEDIUM 5.9

npm

CVE-2022-21721

Denial of Service Vulnerability in next.js

Jan 28, 2022

HIGH 7.5

npm

CVE-2018-6184

Directory traversal vulnerability in Next.js

Jan 24, 2018

MEDIUM 6.1

npm

CVE-2018-18282

Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page

Oct 15, 2018

UNKNOWN

npm

GHSA-5vj8-3v2h-h38v

Remote Code Execution in next

Sep 4, 2020

next

Vulnerabilities

Next.js vulnerable to cache poisoning in React Server Component responses

Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting

Next.js has a Denial of Service in the Image Optimization API

Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces

Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components

Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades

Next.js's Middleware / Proxy redirects can be cache-poisoned

Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes

Next.js has a Middleware / Proxy bypass through dynamic route parameter injection

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

Next.js Vulnerable to Denial of Service with Server Components

Next.js has a Denial of Service with Server Components

Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

Next.js: null origin can bypass dev HMR websocket CSRF checks

Next.js: Unbounded next/image disk cache growth can exhaust storage

Next.js: Unbounded postponed resume buffering can lead to DoS

Next.js: null origin can bypass Server Actions CSRF checks

Next.js: HTTP request smuggling in rewrites

Open Redirect in Next.js versions

Unexpected server crash in Next.js.

XSS in Image Optimization API for Next.js

Open Redirect in Next.js

Authorization Bypass in Next.js Middleware

Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

Next.js Allows a Denial of Service (DoS) with Server Actions

Next.js Content Injection Vulnerability for Image Optimization

Next.js Improper Middleware Redirect Handling Leads to SSRF

Next Vulnerable to Denial of Service with Server Components

Next.js Cache Poisoning

Next.js is vulnerable to RCE in React flight protocol

Next.js Server-Side Request Forgery in Server Actions

Denial of Service condition in Next.js image optimization

Next Server Actions Source Code Exposure

Next.js Affected by Cache Key Confusion for Image Optimization API Routes

Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Next.js may leak x-middleware-subrequest-id to external hosts

Directory Traversal in Next.js

Next.js Race Condition to Cache Poisoning

Next.js authorization bypass vulnerability

Next.JS vulnerability can lead to DoS via cache poisoning

Information exposure in Next.js dev server due to lack of origin verification

Next.js Denial of Service (DoS) condition

Next.js Vulnerable to HTTP Request Smuggling

Next.js Directory Traversal Vulnerability

Next.js missing cache-control header may lead to CDN caching empty reply

Unexpected server crash in Next.js

Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Denial of Service Vulnerability in next.js

Directory traversal vulnerability in Next.js

Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page

Remote Code Execution in next

Start Securing