Homepage

next@15.3.7 vulnerabilities

The React Framework

  • latest version

    16.1.6

  • latest non vulnerable version

    16.2.0-canary.77

  • first published

    14 years ago

  • latest version published

    1 months ago

  • licenses detected

  • View next package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the next package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Allocation of Resources Without Limits or Throttling

    next is a react framework.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Partial Prerendering resume endpoint when unauthenticated POST requests with the Next-Resume: 1 header are processed and attacker-controlled postponed state data is handled. An attacker can cause the server process to crash and exhaust system memory by sending large or highly compressed payloads that are buffered or decompressed without size limits.

    Note:

    This is only exploitable if the application is running with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade next to version 15.6.0-canary.61, 16.1.1-canary.16, 16.1.5 or higher.

    >=15.0.0-canary.0 <15.6.0-canary.61>=16.0.0-beta.0 <16.1.1-canary.16>=16.1.1 <16.1.5
    • H
    Allocation of Resources Without Limits or Throttling

    next is a react framework.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the fetchExternalImage() function, which is used for image optimization and loads external images into memory without a maximum size limit. An attacker can exhaust system memory and disrupt service availability by requesting optimization of very large images from external domains.

    Note:

    This is only exploitable if remotePatterns is configured to allow image optimization from external domains and the attacker can serve or control a large image on an allowed domain.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade next to version 15.5.10, 16.1.1-canary.15, 16.1.5 or higher.

    >=10.0.0 <15.5.10>=16.0.0-beta.0 <16.1.1-canary.15>=16.1.1 <16.1.5
    • H
    Deserialization of Untrusted Data

    next is a react framework.

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads.

    Note:

    This is caused by an incomplete fix for CVE-2025-55184.

    How to fix Deserialization of Untrusted Data?

    Upgrade next to version 14.2.35, 15.0.7, 15.1.11, 15.2.8, 15.3.8, 15.4.10, 15.5.9, 16.0.10, 16.1.0-canary.19 or higher.

    >=14.2.34 <14.2.35>=15.0.6 <15.0.7>=15.1.10 <15.1.11>=15.2.7 <15.2.8>=15.3.7 <15.3.8>=15.4.9 <15.4.10>=15.5.8 <15.5.9>=16.0.9 <16.0.10>=16.1.0-canary.0 <16.1.0-canary.19
    • H
    Server-side Request Forgery (SSRF)

    next is a react framework.

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the resolve-routes. An attacker can access internal resources and potentially exfiltrate sensitive information by crafting requests containing user-controlled headers (e.g., Location) that are forwarded or interpreted without validation.

    Note: This is only exploitable if custom middleware logic is implemented in a self-hosted deployment. The project maintainers recommend using the documented NextResponse.next({request}) to explicitly pass the request object.

    How to fix Server-side Request Forgery (SSRF)?

    Upgrade next to version 14.2.32, 15.4.2-canary.43, 15.4.7 or higher.

    <14.2.32>=15.0.0 <15.4.2-canary.43>=15.4.3 <15.4.7
    • M
    Use of Cache Containing Sensitive Information

    next is a react framework.

    Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the image optimization process, when responses from API routes vary based on request headers such as Cookie or Authorization. An attacker can gain unauthorized access to sensitive image data by exploiting cache key confusion, causing responses intended for authenticated users to be served to unauthorized users.

    Note: Exploitation requires a prior authorized request to populate the cache.

    How to fix Use of Cache Containing Sensitive Information?

    Upgrade next to version 14.2.31, 15.4.2-canary.19, 15.4.5 or higher.

    <14.2.31>=15.0.0 <15.4.2-canary.19>=15.4.3 <15.4.5
    • L
    Missing Source Correlation of Multiple Independent Data

    next is a react framework.

    Affected versions of this package are vulnerable to Missing Source Correlation of Multiple Independent Data in image-optimizer. An attacker can cause arbitrary files to be downloaded with attacker-controlled content and filenames by supplying malicious external image sources.

    Note: This is only exploitable if the application is configured to allow external image sources via the images.domains or images.remotePatterns configuration.

    How to fix Missing Source Correlation of Multiple Independent Data?

    Upgrade next to version 14.2.31, 15.4.2-canary.19, 15.4.5 or higher.

    <14.2.31>=15.0.0 <15.4.2-canary.19>=15.4.3 <15.4.5
    Go back to all versions of this package