Vulnerability	Vulnerable Version
H Missing Authorization next is a react framework. Affected versions of this package are vulnerable to Missing Authorization when using pathname-based checks in middleware for authorization decisions. If i18n configuration is not configured, an attacker can get unintended access to pages one level under the application's root directory. e.g. `https://example.com/foo` is accessible. `https://example.com/` and `https://example.com/foo/bar` are not. Note: Only self-hosted applications are vulnerable. The vulnerability has been fixed by Vercel on the server side. How to fix Missing Authorization? Upgrade `next` to version 14.2.15 or higher.	>=9.5.5 <14.2.15
H Uncontrolled Recursion next is a react framework. Affected versions of this package are vulnerable to Uncontrolled Recursion through the image optimization feature. An attacker can cause excessive CPU consumption by exploiting this vulnerability. How to fix Uncontrolled Recursion? Upgrade `next` to version 14.2.7, 15.0.0-canary.109 or higher.	>=10.0.0 <14.2.7>=15.0.0-canary.0 <15.0.0-canary.109
M Server-Side Request Forgery (SSRF) next is a react framework. Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the `Host` header manipulation. An attacker can make unauthorized requests appearing to originate from the server. Notes: Prerequisites: Next.js (<14.1.1) is running in a self-hosted manner. The Next.js application makes use of Server Actions. The Server Action performs a redirect to a relative path which starts with a `/`. How to fix Server-Side Request Forgery (SSRF)? Upgrade `next` to version 14.1.1 or higher.	>=13.4.0 <14.1.1

Go back to all versions of this package