Next.js CVE-2026-44581
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 4 npm packages depend on next (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 13.4.0.
DescriptionGitHub Advisory
Impact
App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors.
Fix
We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context.
Workarounds
If you cannot upgrade immediately, strip inbound Content-Security-Policy request headers from untrusted traffic.
AnalysisAI
Cross-site scripting via CSP nonce poisoning in Next.js App Router allows attackers to inject malicious scripts into cached HTML responses when applications process untrusted CSP request headers. Versions 13.4.0-15.5.15 and 16.0.0-16.2.4 are vulnerable; attackers can craft malformed nonce values that escape sanitization and execute arbitrary JavaScript for subsequent cache visitors. No public exploit code identified at time of analysis, but the attack requires no authentication and low user interaction (cache hit by victim), making it practically exploitable in shared hosting and CDN scenarios.
Technical ContextAI
Next.js App Router implements Content-Security-Policy (CSP) nonces to protect inline scripts from injection attacks. The vulnerability stems from insufficient validation of nonce values extracted from inbound CSP request headers before embedding them into HTML attributes. When these nonce values are malformed, the application fails to properly escape or sanitize them before rendering, allowing an attacker to break out of the attribute context and inject arbitrary HTML/script tags. This is a classic stored XSS scenario exacerbated by shared caching layers (proxies, CDNs) that cache and serve the poisoned response to subsequent users. CWE-79 (Improper Neutralization of Input During Web Page Generation) captures the root cause: the framework reflects unsanitized, attacker-controlled CSP header data into HTML without proper output encoding.
RemediationAI
Upgrade Next.js immediately to version 15.5.16 (for 13.4.0-15.x users) or 16.2.5 (for 16.0.0-16.x users). Both versions apply stricter nonce sanitization and reject malformed nonce values before HTML embedding. If immediate upgrade is not feasible, implement a temporary workaround by stripping all inbound Content-Security-Policy request headers from untrusted traffic sources at your reverse proxy, load balancer, or WAF layer (e.g., nginx proxy_set_header CSP ""; or Cloudflare page rule to remove header). This workaround eliminates the attack vector but disables legitimate CSP nonce handling from clients and requires redeployment once patched. For applications behind shared caches, coordinate cache invalidation after upgrading to purge any previously poisoned responses; consider using versioned cache keys or Cache-Control headers during the upgrade window.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-ffhc-5mcf-pf4q