next 14.3.0-canary.14

Direct Vulnerabilities

Known vulnerabilities in the next package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Cross-site Scripting (XSS) next is a react framework. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the CSP nonce headers. An attacker can inject malicious scripts into cached HTML responses by supplying malformed nonce values, which may then be executed in the browsers of subsequent visitors. This is possible when applications are deployed behind shared caches and rely on request-derived nonce values. How to fix Cross-site Scripting (XSS)? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.4.13-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Incorrect Authorization next is a react framework. Affected versions of this package are vulnerable to Incorrect Authorization in the `/_next/data/<buildId>/<page>.json` route when `i18n` is configured and authorization is enforced via middleware or proxy. An attacker can gain unauthorized access to sensitive server-side-rendered JSON data for protected pages by making locale-less requests that bypass the intended authorization checks. How to fix Incorrect Authorization? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=12.2.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Server-side Request Forgery (SSRF) next is a react framework. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via crafted WebSocket upgrade requests. An attacker can access internal or external resources by sending specially crafted requests with absolute-url that cause the server to proxy connections to arbitrary destinations, potentially exposing sensitive internal services or cloud metadata endpoints. How to fix Server-side Request Forgery (SSRF)? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.4.13-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
M Cross-site Scripting (XSS) next is a react framework. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `beforeInteractive` process, when untrusted input is embedded without proper escaping. An attacker can execute arbitrary JavaScript in a user's browser by injecting malicious content into the serialized script. How to fix Cross-site Scripting (XSS)? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Allocation of Resources Without Limits or Throttling next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Image Optimization API when handling requests to the `/_next/image` endpoint that match the `images.localPatterns` configuration. An attacker can exhaust server memory and cause a denial of service by requesting large local assets, leading to out-of-memory conditions. Note: This is only exploitable if the default image loader is used and the `images.localPatterns` configuration allows access to large local files. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=10.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5
M Use of Weak Hash next is a react framework. Affected versions of this package are vulnerable to Use of Weak Hash via collisions in the `_rsc` cache-busting process. An attacker can manipulate cache entries by crafting requests that cause shared caches to serve incorrect response variants to users. This is only exploitable if deployments rely on shared caches with insufficient response partitioning. How to fix Use of Weak Hash? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.4.6-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
M Interpretation Conflict next is a react framework. Affected versions of this package are vulnerable to Interpretation Conflict via improper handling of shared cache entries for React Server Component responses. An attacker can cause unintended component payloads to be served to other users by manipulating shared cache behavior through crafted requests. How to fix Interpretation Conflict? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=14.2.0-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
M Acceptance of Extraneous Untrusted Data With Trusted Data next is a react framework. Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the improper handling of the `x-nextjs-data` header in middleware or proxy redirect responses. An attacker can disrupt access to redirect paths by injecting this header in requests, causing the middleware to generate a redirect response lacking a standard `Location` header. If a CDN or reverse proxy caches this malformed response without varying on the injected header, subsequent users may receive unusable redirects, resulting in service disruption until the cache is cleared. How to fix Acceptance of Extraneous Untrusted Data With Trusted Data? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=12.2.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Allocation of Resources Without Limits or Throttling next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via server function endpoints. An attacker can cause out-of-memory exceptions or induce excessive CPU usage by sending malicious `FormData` in an HTTP request. Note: Only React apps that use React Server Components are vulnerable. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Allocation of Resources Without Limits or Throttling next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `createMap`, `createSet`, and `extractIterator` functions in `packages/react-server/src/ReactFlightReplyServer.js`. An attacker can crash the server by supplying a model that contains cyclic reference and is consumed more than once during React Server Components decoding. The repeated consumption triggers an exception during reply processing, breaking rendering for requests that handle attacker-controlled Flight payloads. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `next` to version 15.5.15, 16.2.3 or higher.	>=13.0.0 <15.5.15>=15.6.0-canary.0 <16.2.3
H Allocation of Resources Without Limits or Throttling next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding reply functions of React Flight protocol. An attacker can cause server crashes, out-of-memory exceptions, or excessive CPU usage by sending specially crafted HTTP requests to Server Function endpoints. Notes: This issue is a result of an incomplete fix for CVE-2025-55184 If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `next` to version 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5, 16.2.0-canary.9 or higher.	>=13.0.0 <15.0.8>=15.1.0 <15.1.12>=15.2.0-canary.0 <15.2.9>=15.3.0-canary.0 <15.3.9>=15.4.0-canary.0 <15.4.11>=15.5.0 <15.5.10>=15.6.0-canary.0 <15.6.0-canary.61>=16.0.0-canary.0 <16.0.11>=16.1.0-canary.0 <16.1.5>=16.2.0-canary.0 <16.2.0-canary.9
M HTTP Request Smuggling next is a react framework. Affected versions of this package are vulnerable to HTTP Request Smuggling during the rewrite of the proxy traffic to an external backend. An attacker can access unintended backend routes by sending crafted `DELETE` or `OPTIONS` requests with `Transfer-Encoding: chunked` headers. This is only exploitable if the application is not hosted on providers that handle rewrites at the CDN level. How to fix HTTP Request Smuggling? Upgrade `next` to version 15.5.13, 16.1.7, 16.2.0-canary.102 or higher.	>=9.5.0 <15.5.13>=16.0.0-beta.0 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.102
M Allocation of Resources Without Limits or Throttling next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of an upper bound on the disk cache used by the image optimization. An attacker can exhaust disk storage by generating a large number of unique image optimization variants, leading to service disruption. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `next` to version 16.1.7, 16.2.0-canary.54 or higher.	>=10.0.0 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.54
H Allocation of Resources Without Limits or Throttling next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `fetchExternalImage()` function, which is used for image optimization and loads external images into memory without a maximum size limit. An attacker can exhaust system memory and disrupt service availability by requesting optimization of very large images from external domains. Note: This is only exploitable if `remotePatterns` is configured to allow image optimization from external domains and the attacker can serve or control a large image on an allowed domain. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `next` to version 15.5.10, 16.1.1-canary.15, 16.1.5 or higher.	>=10.0.0 <15.5.10>=16.0.0-beta.0 <16.1.1-canary.15>=16.1.1 <16.1.5

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

next is a react framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the CSP nonce headers. An attacker can inject malicious scripts into cached HTML responses by supplying malformed nonce values, which may then be executed in the browsers of subsequent visitors. This is possible when applications are deployed behind shared caches and rely on request-derived nonce values.

How to fix Cross-site Scripting (XSS)?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.4.13-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Incorrect Authorization

next is a react framework.

Affected versions of this package are vulnerable to Incorrect Authorization in the /_next/data/<buildId>/<page>.json route when i18n is configured and authorization is enforced via middleware or proxy. An attacker can gain unauthorized access to sensitive server-side-rendered JSON data for protected pages by making locale-less requests that bypass the intended authorization checks.

How to fix Incorrect Authorization?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=12.2.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Server-side Request Forgery (SSRF)

next is a react framework.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via crafted WebSocket upgrade requests. An attacker can access internal or external resources by sending specially crafted requests with absolute-url that cause the server to proxy connections to arbitrary destinations, potentially exposing sensitive internal services or cloud metadata endpoints.

How to fix Server-side Request Forgery (SSRF)?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.4.13-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Cross-site Scripting (XSS)

next is a react framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the beforeInteractive process, when untrusted input is embedded without proper escaping. An attacker can execute arbitrary JavaScript in a user's browser by injecting malicious content into the serialized script.

How to fix Cross-site Scripting (XSS)?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Allocation of Resources Without Limits or Throttling

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Image Optimization API when handling requests to the /_next/image endpoint that match the images.localPatterns configuration. An attacker can exhaust server memory and cause a denial of service by requesting large local assets, leading to out-of-memory conditions.

Note: This is only exploitable if the default image loader is used and the images.localPatterns configuration allows access to large local files.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=10.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Use of Weak Hash

next is a react framework.

Affected versions of this package are vulnerable to Use of Weak Hash via collisions in the _rsc cache-busting process. An attacker can manipulate cache entries by crafting requests that cause shared caches to serve incorrect response variants to users. This is only exploitable if deployments rely on shared caches with insufficient response partitioning.

How to fix Use of Weak Hash?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.4.6-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Interpretation Conflict

next is a react framework.

Affected versions of this package are vulnerable to Interpretation Conflict via improper handling of shared cache entries for React Server Component responses. An attacker can cause unintended component payloads to be served to other users by manipulating shared cache behavior through crafted requests.

How to fix Interpretation Conflict?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=14.2.0-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Acceptance of Extraneous Untrusted Data With Trusted Data

next is a react framework.

Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the improper handling of the x-nextjs-data header in middleware or proxy redirect responses. An attacker can disrupt access to redirect paths by injecting this header in requests, causing the middleware to generate a redirect response lacking a standard Location header. If a CDN or reverse proxy caches this malformed response without varying on the injected header, subsequent users may receive unusable redirects, resulting in service disruption until the cache is cleared.

How to fix Acceptance of Extraneous Untrusted Data With Trusted Data?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=12.2.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Allocation of Resources Without Limits or Throttling

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via server function endpoints. An attacker can cause out-of-memory exceptions or induce excessive CPU usage by sending malicious FormData in an HTTP request.

Note: Only React apps that use React Server Components are vulnerable.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Allocation of Resources Without Limits or Throttling

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the createMap, createSet, and extractIterator functions in packages/react-server/src/ReactFlightReplyServer.js. An attacker can crash the server by supplying a model that contains cyclic reference and is consumed more than once during React Server Components decoding. The repeated consumption triggers an exception during reply processing, breaking rendering for requests that handle attacker-controlled Flight payloads.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade next to version 15.5.15, 16.2.3 or higher.

>=13.0.0 <15.5.15>=15.6.0-canary.0 <16.2.3

Allocation of Resources Without Limits or Throttling

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the decoding reply functions of React Flight protocol. An attacker can cause server crashes, out-of-memory exceptions, or excessive CPU usage by sending specially crafted HTTP requests to Server Function endpoints.

Notes:

This issue is a result of an incomplete fix for CVE-2025-55184
If your app’s React code does not use a server, your app is not affected by these vulnerabilities.
If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade next to version 15.0.8, 15.1.12, 15.2.9, 15.3.9, 15.4.11, 15.5.10, 15.6.0-canary.61, 16.0.11, 16.1.5, 16.2.0-canary.9 or higher.

>=13.0.0 <15.0.8>=15.1.0 <15.1.12>=15.2.0-canary.0 <15.2.9>=15.3.0-canary.0 <15.3.9>=15.4.0-canary.0 <15.4.11>=15.5.0 <15.5.10>=15.6.0-canary.0 <15.6.0-canary.61>=16.0.0-canary.0 <16.0.11>=16.1.0-canary.0 <16.1.5>=16.2.0-canary.0 <16.2.0-canary.9

HTTP Request Smuggling

next is a react framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling during the rewrite of the proxy traffic to an external backend. An attacker can access unintended backend routes by sending crafted DELETE or OPTIONS requests with Transfer-Encoding: chunked headers. This is only exploitable if the application is not hosted on providers that handle rewrites at the CDN level.

How to fix HTTP Request Smuggling?

Upgrade next to version 15.5.13, 16.1.7, 16.2.0-canary.102 or higher.

>=9.5.0 <15.5.13>=16.0.0-beta.0 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.102

Allocation of Resources Without Limits or Throttling

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of an upper bound on the disk cache used by the image optimization. An attacker can exhaust disk storage by generating a large number of unique image optimization variants, leading to service disruption.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade next to version 16.1.7, 16.2.0-canary.54 or higher.

>=10.0.0 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.54

Allocation of Resources Without Limits or Throttling

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the fetchExternalImage() function, which is used for image optimization and loads external images into memory without a maximum size limit. An attacker can exhaust system memory and disrupt service availability by requesting optimization of very large images from external domains.

Note:

This is only exploitable if remotePatterns is configured to allow image optimization from external domains and the attacker can serve or control a large image on an allowed domain.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade next to version 15.5.10, 16.1.1-canary.15, 16.1.5 or higher.

>=10.0.0 <15.5.10>=16.0.0-beta.0 <16.1.1-canary.15>=16.1.1 <16.1.5

next@14.3.0-canary.14

The React Framework

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically