Version 15.0.3

next

The React Framework

Install Instructions

npm install next
Current Version Release Date November 07, 2024
Package URL (purl) pkg:npm/next@15.0.3

Find next vulnerabilities in your supply chain.

Scan for Free

next Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2020-5284 Medium 4.3 CWE-22, CWE-23 0.16648 0.9615
  • 9.0.0–9.3.2-canary.9
  • 8.0.0–8.1.1-canary.70
  • 7.0.0–7.0.3-alpha.5
  • 6.0.0–6.1.2
  • 5.0.0–5.1.0
  • 4.0.0–4.4.0-canary.3
  • 3.0.0-beta1–3.2.3
  • 2.0.0–2.4.9
  • 1.0.0–1.2.3
  • 0.1.0–0.9.11
CVE-2021-37699 Medium 6.1 CWE-601 0.00066 0.30636
  • 11.0.0–11.0.2-canary.31
  • 10.0.0–10.2.4-canary.19
  • 9.0.0–9.5.6-canary.18
  • 8.0.0–8.1.1-canary.70
  • 7.0.0–7.0.3-alpha.5
  • 6.0.0–6.1.2
  • 5.0.0–5.1.0
  • 4.0.0–4.4.0-canary.3
  • 3.0.0-beta1–3.2.3
  • 2.0.0–2.4.9
  • 1.0.0–1.2.3
  • 0.9.9–0.9.11
CVE-2021-39178 Medium 6.1 CWE-79 0.00066 0.30636
  • 11.0.0–11.1.1-canary.19
  • 10.0.0–10.2.4-canary.19
CVE-2021-43803 High 7.5 CWE-20 0.00226 0.61287
  • 12.0.0–12.0.5-canary.19
  • 11.0.0–11.1.3-canary.104
  • 10.0.0–10.2.4-canary.19
  • 9.0.0–9.5.6-canary.18
  • 8.0.0–8.1.1-canary.70
  • 7.0.0–7.0.3-alpha.5
  • 6.0.0–6.1.2
  • 5.0.0–5.1.0
  • 4.0.0–4.4.0-canary.3
  • 3.0.0-beta1–3.2.3
  • 2.0.0–2.4.9
  • 1.0.0–1.2.3
  • 0.9.9–0.9.11
CVE-2022-23646 High 7.5 CWE-451 0.00183 0.56441
  • 12.0.0–12.0.11-canary.21
  • 11.0.0–11.1.4
  • 10.0.0–10.2.4-canary.19
CVE-2023-46298 High 7.5 CWE-400 0.00069 0.31535
  • 13.0.0–13.4.20-canary.12
  • 12.0.0–12.3.4
  • 11.0.0–11.1.4
  • 10.0.0–10.2.4-canary.19
  • 9.0.0–9.5.6-canary.18
  • 8.0.0–8.1.1-canary.70
  • 7.0.0–7.0.3-alpha.5
  • 6.0.0–6.1.2
  • 5.0.0–5.1.0
  • 4.0.0–4.4.0-canary.3
  • 3.0.0-beta1–3.2.3
  • 2.0.0–2.4.9
  • 1.0.0–1.2.3
  • 0.9.9–0.9.11
CVE-2024-47831 High 7.5 CWE-674 0.00046 0.18166
  • 14.0.0–14.2.6
  • 13.0.0–13.5.7-canary.37
  • 12.0.0–12.3.4
  • 11.0.0–11.1.4
  • 10.0.0–10.2.4-canary.19
CVE-2018-6184 High 7.5 CWE-22 0.00388 0.7377
  • 4.0.0–4.2.2
  • 3.0.0-beta1–3.2.3
  • 2.0.0–2.4.9
  • 1.0.0–1.2.3
CVE-2017-16877 High 7.5 CWE-22 0.00337 0.71903
  • 2.0.0–2.4.0
  • 1.0.0–1.2.3
CVE-2020-15242 Medium 6.1 CWE-601 0.00066 0.30636
  • 9.5.0–9.5.4-canary.25
CVE-2022-21721 High 7.5 CWE-400 0.00171 0.54932
  • 12.0.0–12.0.9-canary.12
CVE-2018-18282 Medium 6.1 CWE-79 0.00064 0.29265
  • 7.0.0–7.0.2-canary.50
CVE-2024-46982 High 7.5 CWE-639 0.00045 0.16759
  • 14.0.0–14.2.9
  • 13.5.1–13.5.7-canary.37
CVE-2024-34351 High 7.5 CWE-918 0.00102 0.42929
  • 14.0.0–14.1.1-canary.82
  • 13.4.0–13.5.7-canary.37
CVE-2024-34350 High 7.5 CWE-444 0.00043 0.10003
  • 13.4.0–13.5.1-canary.1
CVE-2024-39693 High 7.5 CWE-400 0.00043 0.10003
  • 13.3.1–13.4.20-canary.40
CVE-2022-36046 Medium 5.3 CWE-754, CWE-248 0.00076 0.34102
  • 12.2.3

next Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2024-47831 Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned. 10.1.3, 10.2.2, 10.0.2-canary.7, 10.0.5-canary.11, 10.0.2-canary.13, 12.0.3-canary.1, 12.0.2-canary.12, 10.0.5 (Show all) Major → 14.2.10
CVE-2024-46982 Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version. 14.2.3, 14.2.1, 14.2.0-canary.59, 14.2.0-canary.49, 14.2.0-canary.45, 14.2.0-canary.44, 14.0.3, 14.2.0-canary.20 (Show all) Patch → 14.2.10
CVE-2024-39693 Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later. 13.4.20-canary.13, 13.4.15, 13.4.13, 13.4.11, 13.4.8, 13.4.8-canary.14, 13.4.5, 13.4.5-canary.7 (Show all) Patch → 14.2.10
CVE-2024-34351 Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`. 14.0.3, 13.4.20-canary.13, 14.0.1, 13.5.7, 14.0.0, 13.5.5-canary.2, 13.4.15, 13.4.13 (Show all) Minor → 14.2.10
CVE-2024-34350 Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer. 13.4.20-canary.13, 13.4.15, 13.4.13, 13.4.11, 13.4.8, 13.4.8-canary.14, 13.4.5, 13.4.5-canary.7 (Show all) Patch → 14.2.10
CVE-2023-46298 Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. 10.1.3, 10.2.2, 9.3.2-canary.7, 10.0.2-canary.7, 2.3.1, 2.0.0-beta.42, 2.0.0-beta.35, 9.2.3-canary.26 (Show all) Major → 14.2.10
CVE-2022-36046 Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server). Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across requests. 12.2.3 Major → 14.2.10
CVE-2022-23646 Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default. 10.1.3, 10.2.2, 10.0.2-canary.7, 10.0.5-canary.11, 10.0.2-canary.13, 12.0.3-canary.1, 12.0.2-canary.12, 10.0.5 (Show all) Major → 14.2.10
CVE-2022-21721 Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, `next@12.0.9`, that mitigates this issue. As a workaround, one may ensure `/${locale}/_next/` is blocked from reaching the Next.js instance until it becomes feasible to upgrade. 12.0.3-canary.1, 12.0.2-canary.12, 12.0.1-canary.3, 12.0.2-canary.14, 12.0.5-canary.8, 12.0.4, 12.0.1-canary.0, 12.0.3-canary.8 (Show all) Patch → 14.2.10
CVE-2021-43803 Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. 10.1.3, 10.2.2, 9.3.2-canary.7, 10.0.2-canary.7, 2.3.1, 2.0.0-beta.42, 2.0.0-beta.35, 9.2.3-canary.26 (Show all) Major → 14.2.10
CVE-2021-39178 Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1. 10.1.3, 10.2.2, 10.0.2-canary.7, 10.0.5-canary.11, 10.0.2-canary.13, 10.0.5, 10.0.4-canary.7, 10.0.1 (Show all) Major → 14.2.10
CVE-2021-37699 Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0. 10.1.3, 10.2.2, 9.3.2-canary.7, 10.0.2-canary.7, 2.3.1, 2.0.0-beta.42, 2.0.0-beta.35, 9.2.3-canary.26 (Show all) Major → 14.2.10
CVE-2020-5284 Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2. 0.4.1, 9.3.2-canary.7, 2.3.1, 2.0.0-beta.42, 2.0.0-beta.35, 9.2.3-canary.26, 7.0.0-canary.8, 5.0.0-universal-alpha.2 (Show all) Major → 14.2.10
CVE-2020-15242 Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4. 9.5.4-canary.6, 9.5.4-canary.11, 9.5.3-canary.20, 9.5.2-canary.14, 9.5.4-canary.9, 9.5.3-canary.8, 9.5.4-canary.4, 9.5.2-canary.2 (Show all) Major → 14.2.10
CVE-2018-6184 ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_next request namespace. 2.3.1, 2.0.0-beta.42, 2.0.0-beta.35, 2.0.0-beta.37, 2.0.0-beta.1, 1.2.3, 1.1.2, 4.0.1 (Show all) Major → 14.2.10
CVE-2018-18282 Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. 7.0.2-canary.10, 7.0.2-canary.23, 7.0.2-canary.49, 7.0.2-canary.12, 7.0.2-canary.21, 7.0.2-canary.45, 7.0.2-canary.33, 7.0.2-canary.46 (Show all) Major → 14.2.10
CVE-2017-16877 ZEIT Next.js before 2.4.1 has directory traversal under the /_next and /static request namespace, allowing attackers to obtain sensitive information. 2.3.1, 2.0.0-beta.42, 2.0.0-beta.35, 2.0.0-beta.37, 2.0.0-beta.1, 1.2.3, 1.1.2, 2.0.0-beta.20 (Show all) Major → 14.2.10

Instantly see if these next vulnerabilities affect your code.

Scan for Free