Next.Js
CVE-2025-13984
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.
AnalysisAI
Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. [CVSS 6.1 MEDIUM]
Technical ContextAI
Affects Next.Js. Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-202
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8,
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in min
A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for t
Share
External POC / Exploit Code
Leaving vuln.today