Skip to main content

Next.js

12 CVEs product

Monthly

CVE-2026-41248 npm CRITICAL PATCH GHSA Act Now

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1

Authentication Bypass Astro Next.js Nuxt Shared
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-57822 npm MEDIUM POC PATCH This Month

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Next.js Vercel
NVD GitHub
CVSS 3.1
6.5
EPSS
5.6%
CVE-2025-57752 npm MEDIUM PATCH This Month

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Authentication Bypass Red Hat Next.js Vercel
NVD GitHub
CVSS 3.1
6.2
EPSS
0.1%
CVE-2025-55173 npm MEDIUM PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Red Hat Next.js Vercel
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-6087 npm CRITICAL PATCH Act Now

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

SSRF Next.js Node.js Information Disclosure Opennext For Cloudflare +2
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2025-48947 npm HIGH PATCH This Week

A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring prompt remediation.

Next.js Node.js Information Disclosure Authentication Bypass
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-48068 npm LOW PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Next.js Vercel
NVD GitHub
CVSS 4.0
2.3
EPSS
0.1%
CVE-2025-32421 npm LOW PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Race Condition Next.js Vercel
NVD GitHub
CVSS 3.1
3.7
EPSS
0.4%
CVE-2025-30218 npm LOW PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 1.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Next.js Vercel
NVD GitHub
CVSS 4.0
1.7
EPSS
0.2%
CVE-2025-29927 npm CRITICAL POC PATCH THREAT Act Now

Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer.

Authentication Bypass Red Hat Next.js Vercel
NVD GitHub Exploit-DB
CVSS 3.1
9.1
EPSS
93.0%
Threat
6.1
CVE-2024-56332 npm MEDIUM PATCH This Month

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Red Hat Next.js Vercel
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2017-16877 npm HIGH POC PATCH THREAT Act Now

ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.8%.

Path Traversal Next.js
NVD GitHub
CVSS 3.0
7.5
EPSS
80.8%
Threat
5.4
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1

Authentication Bypass Astro Next.js +2
NVD GitHub VulDB
EPSS 6% CVSS 6.5
MEDIUM POC PATCH This Month

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Next.js Vercel
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Authentication Bypass Red Hat Next.js +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Red Hat Next.js +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

A remote code execution vulnerability (CVSS 9.1). Critical severity with potential for significant impact on affected systems.

SSRF Next.js Node.js +4
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

A security vulnerability in Next.js applications. In Auth0 Next.js SDK (CVSS 7.7). High severity vulnerability requiring prompt remediation.

Next.js Node.js Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Node.js Next.js +1
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Race Condition Next.js +1
NVD GitHub
EPSS 0% CVSS 1.7
LOW PATCH Monitor

Next.js is a React framework for building full-stack web applications. Rated low severity (CVSS 1.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Next.js Vercel
NVD GitHub
EPSS 93% 6.1 CVSS 9.1
CRITICAL POC PATCH THREAT Act Now

Next.js versions 1.11.4 through 15.2.2 contain a critical middleware authorization bypass via the x-middleware-subrequest header. Attackers can send crafted requests that skip middleware entirely, bypassing authentication, authorization, and security headers enforced at the middleware layer.

Authentication Bypass Red Hat Next.js +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Next.js is a React framework for building full-stack web applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Red Hat Next.js +1
NVD GitHub
EPSS 81% 5.4 CVSS 7.5
HIGH POC PATCH THREAT Act Now

ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.8%.

Path Traversal Next.js
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy