Home/Product/vercel next.js
Product

vercel next.js

53 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-45109
>= 15.2.0 and < 15.5.18
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that
7.5HIGH
 CVE-2026-44582
>= 13.4.6 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Comp
3.7LOW
 CVE-2026-44581
>= 13.4.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applic
4.7MEDIUM
 CVE-2026-44580
>= 13.0.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that
6.1MEDIUM
 CVE-2026-44579
>= 15.0.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Part
7.5HIGH
 CVE-2026-44578
>= 13.4.13 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted appl
8.6HIGH
 CVE-2026-44577
>= 10.0.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting
5.9MEDIUM
 CVE-2026-44576
>= 14.2.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications usin
5.4MEDIUM
 CVE-2026-44575
>= 15.2.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applic
7.5HIGH
 CVE-2026-44574
>= 15.4.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 15.4.0 to before 15.5.16 and 16.2.5, applications that
8.1HIGH
 CVE-2026-44573
>= 12.2.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications usin
7.5HIGH
 CVE-2026-44572
>= 12.2.0 and < 15.5.16
Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external clien
3.7LOW
 CVE-2026-29057
>= 9.5.0 and < 15.5.13
Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and
6.5MEDIUM
 CVE-2026-27980
>= 10.0.0 and < 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the
7.5HIGH
 CVE-2026-27979
>= 16.0.1 and < 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a r
7.5HIGH
 CVE-2026-27978
>= 16.0.1 and < 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `or
4.3MEDIUM
 CVE-2026-27977
>= 16.0.1 and < 16.1.7
Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in
5.4MEDIUM
 CVE-2025-59472
>= 15.0.0 and < 15.6.0
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode.
5.9MEDIUM
 CVE-2025-59471
>= 10.0.0 and < 15.5.10
A denial of service vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image O
5.9MEDIUM
 CVE-2025-67779
>= 13.3.0 and < 14.2.35
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of ser
7.5HIGH
 CVE-2025-55184
>= 13.3.0 and < 14.2.35
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.
7.5HIGH
 CVE-2025-55183
>= 15.0.0 and < 15.0.7
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.
5.3MEDIUM
 CVE-2025-55182
>= 15.0.0 and < 15.0.5
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19
10.0CRITICAL
 CVE-2025-48985
< 5.0.52
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed
3.7LOW
 CVE-2025-57822
< 14.2.32
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used
6.5MEDIUM
 CVE-2025-57752
< 14.2.31
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5
6.2MEDIUM
 CVE-2025-55173
< 14.2.31
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5
4.3MEDIUM
 CVE-2025-7074
<= 3.4.1
A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand
4.3MEDIUM
 CVE-2025-49826
> 15.0.4 and < 15.1.8
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache po
7.5HIGH
 CVE-2025-49005
>= 15.3.0 and < 15.3.3
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Verc
3.7LOW
 CVE-2025-48068
>= 13.0.0 and < 14.2.30
Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0
4.3MEDIUM
 CVE-2025-32421
< 14.2.24
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition
3.7LOW
 CVE-2025-30218
all versions
Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middlew
5.9MEDIUM
 CVE-2025-29927
>= 11.1.4 and < 12.3.5
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13
9.1CRITICAL
 CVE-2024-56332
>= 13.0.0 and < 13.5.8
Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14
5.3MEDIUM
 CVE-2024-51479
>= 9.5.5 and < 14.2.15
Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing
7.5HIGH
 CVE-2024-47831
>= 10.0.0 and < 14.2.7
Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain
5.9MEDIUM
 CVE-2024-46982
>= 13.5.1 and < 13.5.7
Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison
7.5HIGH
 CVE-2024-39693
>= 13.3.1 and < 13.5.0
Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a
7.5HIGH
 CVE-2024-34351
>= 13.4.0 and < 14.1.1
Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vul
7.5HIGH
 CVE-2024-34350
>= 13.4.0 and < 13.5.1
Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpr
7.5HIGH
 CVE-2024-24828
<= 5.8.1
pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by pkg are written to a hardco
6.6MEDIUM
 CVE-2024-23741
<= 3.4.1
An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enabl
9.8CRITICAL
 CVE-2023-46298
< 13.4.20
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN,
7.5HIGH
 CVE-2017-20162
< 2.0.0
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse
4.3MEDIUM
 CVE-2022-36046
all versions
Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be
5.3MEDIUM
 CVE-2022-23646
>= 10.0.0 and < 12.1.0
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (U
5.9MEDIUM
 CVE-2022-21721
>= 12.0.0 and < 12.0.9
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to
5.9MEDIUM
 CVE-2021-43803
>= 11.1.0 and < 11.1.3
Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server c
7.5HIGH
 CVE-2021-39178
>= 10.0.0 and < 11.1.1
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order
7.5HIGH
 CVE-2021-37699
>= 10.0.5 and <= 10.2.0
Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded
6.9MEDIUM
 CVE-2020-15242
>= 9.5.0 and < 9.5.4
Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing sl
4.7MEDIUM
 CVE-2015-8315
< 0.7.1
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string,
7.5HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin