Next.js CVE-2026-44580
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 16 npm packages depend on next (15 direct, 1 indirect)
Ecosystem-wide dependent count for version 13.0.0.
DescriptionGitHub Advisory
Impact
Applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser.
Fix
We now HTML-escape serialized beforeInteractive script content before embedding it into the page, preventing attacker-controlled content from breaking out of the inline script boundary.
Workarounds
If you cannot upgrade immediately, do not pass untrusted data into beforeInteractive scripts. If that pattern is unavoidable, sanitize or escape the content before embedding it.
AnalysisAI
Cross-site scripting in Next.js beforeInteractive scripts allows remote unauthenticated attackers to execute arbitrary JavaScript in visitor browsers when applications pass untrusted content to beforeInteractive script features. The vulnerability arises from insufficient HTML escaping of serialized script content before embedding into the document, enabling attackers to break out of the script context. Affected versions include 13.0.0 through 15.5.15 and 16.0.0 through 16.2.4; patched versions 15.5.16 and 16.2.5 are available. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS score of 6.1 reflects moderate risk with required user interaction.
Technical ContextAI
Next.js is a React framework that provides the beforeInteractive script feature for executing JavaScript in the page head before React hydration. The vulnerability exists in how Next.js serializes and embeds beforeInteractive script content into the HTML document. When application code passes untrusted user input (such as from database queries, API responses, or URL parameters) directly into beforeInteractive script payloads, the framework failed to properly HTML-escape the content before inserting it into inline script tags. This is a classic DOM-based XSS vulnerability (CWE-79) where unsafe string concatenation allows malicious input containing script delimiters or JavaScript syntax to escape the intended script context and execute arbitrary code in the visitor's browser. The vulnerability is specific to the beforeInteractive feature and does not affect other Next.js script loading mechanisms that properly handle content sanitization.
RemediationAI
Upgrade Next.js to version 15.5.16 or later for the 15.x branch, or version 16.2.5 or later for the 16.x branch. These versions implement HTML-escaping of serialized beforeInteractive script content, preventing attacker-controlled input from breaking out of the script boundary. The upgrade can be performed via npm update next or by modifying package.json and reinstalling dependencies. If immediate upgrade is not feasible, implement the following compensating controls with noted trade-offs: (1) Do not pass untrusted data (user input, database-sourced content, or API responses) directly into beforeInteractive script features - this is the primary mitigation and involves code review of all beforeInteractive usage; (2) If passing dynamic content to beforeInteractive is unavoidable, manually HTML-escape all untrusted input using libraries like he or xss before embedding, though this shifts responsibility to developers and increases risk of escape failures; (3) Implement Content Security Policy (CSP) with script-src restrictions to limit the impact of successfully injected scripts, though CSP does not prevent inline script execution without nonce or hash whitelisting, which Next.js may not support for dynamically-generated beforeInteractive scripts. Vercel recommends immediate patching as the primary remediation path.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-gx5p-jg67-6x7h