Next.js
Monthly
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.
A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring prompt remediation.
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 1.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer.
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.8%.
Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.
A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring prompt remediation.
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 1.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer.
Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.8%.