next 16.2.0-canary.101 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the next package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Missing Origin Validation in WebSockets next is a react framework. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets in the internal dev endpoint when the `Origin` header is set to `null`. An attacker can interact with internal development websocket traffic by connecting from privacy-sensitive or opaque contexts, such as sandboxed documents, if the development server is accessible from attacker-controlled content. How to fix Missing Origin Validation in WebSockets? Upgrade `next` to version 16.1.7, 16.2.0-canary.102 or higher.	>=16.0.1 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.102
M HTTP Request Smuggling next is a react framework. Affected versions of this package are vulnerable to HTTP Request Smuggling during the rewrite of the proxy traffic to an external backend. An attacker can access unintended backend routes by sending crafted `DELETE` or `OPTIONS` requests with `Transfer-Encoding: chunked` headers. This is only exploitable if the application is not hosted on providers that handle rewrites at the CDN level. How to fix HTTP Request Smuggling? Upgrade `next` to version 15.5.13, 16.1.7, 16.2.0-canary.102 or higher.	>=9.5.0 <15.5.13>=16.0.0-beta.0 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.102
M Cross-site Request Forgery (CSRF) next is a react framework. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the uncaught `origin: null` in the Server Action CSRF validation. An attacker can perform unauthorized state-changing actions on behalf of a user by inducing the user's browser to submit requests from a sandboxed context, bypassing origin verification. How to fix Cross-site Request Forgery (CSRF)? Upgrade `next` to version 16.1.7, 16.2.0-canary.102 or higher.	>=16.0.1 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.102

Vulnerability

Vulnerable Version

Missing Origin Validation in WebSockets

next is a react framework.

Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets in the internal dev endpoint when the Origin header is set to null. An attacker can interact with internal development websocket traffic by connecting from privacy-sensitive or opaque contexts, such as sandboxed documents, if the development server is accessible from attacker-controlled content.

How to fix Missing Origin Validation in WebSockets?

Upgrade next to version 16.1.7, 16.2.0-canary.102 or higher.

>=16.0.1 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.102

HTTP Request Smuggling

next is a react framework.

Affected versions of this package are vulnerable to HTTP Request Smuggling during the rewrite of the proxy traffic to an external backend. An attacker can access unintended backend routes by sending crafted DELETE or OPTIONS requests with Transfer-Encoding: chunked headers. This is only exploitable if the application is not hosted on providers that handle rewrites at the CDN level.

How to fix HTTP Request Smuggling?

Upgrade next to version 15.5.13, 16.1.7, 16.2.0-canary.102 or higher.

>=9.5.0 <15.5.13>=16.0.0-beta.0 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.102

Cross-site Request Forgery (CSRF)

next is a react framework.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the uncaught origin: null in the Server Action CSRF validation. An attacker can perform unauthorized state-changing actions on behalf of a user by inducing the user's browser to submit requests from a sandboxed context, bypassing origin verification.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade next to version 16.1.7, 16.2.0-canary.102 or higher.

>=16.0.1 <16.1.7>=16.2.0-canary.0 <16.2.0-canary.102

next@16.2.0-canary.101 vulnerabilities

The React Framework

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically