Skip to main content

Next.js CVE-2026-44581

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 https://github.com/vercel/next.js GHSA-ffhc-5mcf-pf4q
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Red Hat
4.2 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:17 vuln.today
Analysis Generated
May 11, 2026 - 16:17 vuln.today
CVE Published
May 11, 2026 - 15:57 nvd
MEDIUM 4.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on next (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 13.4.0.

DescriptionGitHub Advisory

Impact

App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors.

Fix

We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context.

Workarounds

If you cannot upgrade immediately, strip inbound Content-Security-Policy request headers from untrusted traffic.

AnalysisAI

Cross-site scripting via CSP nonce poisoning in Next.js App Router allows attackers to inject malicious scripts into cached HTML responses when applications process untrusted CSP request headers. Versions 13.4.0-15.5.15 and 16.0.0-16.2.4 are vulnerable; attackers can craft malformed nonce values that escape sanitization and execute arbitrary JavaScript for subsequent cache visitors. No public exploit code identified at time of analysis, but the attack requires no authentication and low user interaction (cache hit by victim), making it practically exploitable in shared hosting and CDN scenarios.

Technical ContextAI

Next.js App Router implements Content-Security-Policy (CSP) nonces to protect inline scripts from injection attacks. The vulnerability stems from insufficient validation of nonce values extracted from inbound CSP request headers before embedding them into HTML attributes. When these nonce values are malformed, the application fails to properly escape or sanitize them before rendering, allowing an attacker to break out of the attribute context and inject arbitrary HTML/script tags. This is a classic stored XSS scenario exacerbated by shared caching layers (proxies, CDNs) that cache and serve the poisoned response to subsequent users. CWE-79 (Improper Neutralization of Input During Web Page Generation) captures the root cause: the framework reflects unsanitized, attacker-controlled CSP header data into HTML without proper output encoding.

RemediationAI

Upgrade Next.js immediately to version 15.5.16 (for 13.4.0-15.x users) or 16.2.5 (for 16.0.0-16.x users). Both versions apply stricter nonce sanitization and reject malformed nonce values before HTML embedding. If immediate upgrade is not feasible, implement a temporary workaround by stripping all inbound Content-Security-Policy request headers from untrusted traffic sources at your reverse proxy, load balancer, or WAF layer (e.g., nginx proxy_set_header CSP ""; or Cloudflare page rule to remove header). This workaround eliminates the attack vector but disables legitimate CSP nonce handling from clients and requires redeployment once patched. For applications behind shared caches, coordinate cache invalidation after upgrading to purge any previously poisoned responses; consider using versioned cache keys or Cache-Control headers during the upgrade window.

Vendor StatusVendor

Share

CVE-2026-44581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy