next@16.0.2-canary.30 vulnerabilities
The React Framework
latest version
16.0.8
latest non vulnerable version
first published
14 years ago
latest version published
19 hours ago
licenses detected
- >=0
Direct Vulnerabilities
Known vulnerabilities in the next package. This does not include vulnerabilities belonging to this package’s dependencies.
Fix vulnerabilities automatically
Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.
Fix for free| Vulnerability | Vulnerable Version |
|---|---|
next is a react framework. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe deserialization of RSC payloads from HTTP requests to Server Function endpoints. An unauthenticated attacker can execute arbitrary code on the server by sending malicious HTTP requests. Note: Serverless applications and applications that do not use a framework, bundler, or bundler plugin that supports React Server Components are not affected by this vulnerability. Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected. This vulnerability originates in the upstream React implementation. This advisory tracks the downstream impact on Next.js applications using the App Router. CVE-2025-66478 was originally announced for this vulnerability and later rejected as a duplicate of CVE-2025-55182. How to fix Arbitrary Code Injection? Upgrade | >=14.3.0-canary.77 <15.0.5>=15.1.0 <15.1.9>=15.2.0-canary.0 <15.2.6>=15.3.0-canary.0 <15.3.6>=15.4.0-canary.0 <15.4.8>=15.5.0 <15.5.7>=16.0.0-beta.0 <16.0.7 |