next 16.2.3

Direct Vulnerabilities

Known vulnerabilities in the next package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Authentication Bypass Using an Alternate Path or Channel next is a react framework. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the `middleware.ts` with Turbopack enabled. An attacker can gain unauthorized access to protected resources by bypassing authentication mechanisms through specially crafted segment-prefetch routes. Note: This vulnerability relates to the incomplete fix of CVE-2026-44575 How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `next` to version 15.5.18, 16.2.6 or higher.	>=15.2.0-canary.0 <15.5.18>=16.0.0-beta.0 <16.2.6
H Authentication Bypass Using an Alternate Path or Channel next is a react framework. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the handling of segment-prefetch routes. An attacker can gain unauthorized access to protected content by crafting `.rsc` and segment-prefetch URLs that bypass intended authorization checks in middleware or proxy-based configurations. Notes: This is only exploitable if authorization is enforced solely through middleware or proxy checks, and not within the underlying route or page logic. This fix is incomplete and does not cover `middleware.ts` with Turbopack enabled. For additional details see CVE-2026-45109 How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=15.2.0-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
L Cross-site Scripting (XSS) next is a react framework. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the CSP nonce headers. An attacker can inject malicious scripts into cached HTML responses by supplying malformed nonce values, which may then be executed in the browsers of subsequent visitors. This is possible when applications are deployed behind shared caches and rely on request-derived nonce values. How to fix Cross-site Scripting (XSS)? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.4.13-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Incorrect Authorization next is a react framework. Affected versions of this package are vulnerable to Incorrect Authorization in the `/_next/data/<buildId>/<page>.json` route when `i18n` is configured and authorization is enforced via middleware or proxy. An attacker can gain unauthorized access to sensitive server-side-rendered JSON data for protected pages by making locale-less requests that bypass the intended authorization checks. How to fix Incorrect Authorization? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=12.2.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Server-side Request Forgery (SSRF) next is a react framework. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via crafted WebSocket upgrade requests. An attacker can access internal or external resources by sending specially crafted requests with absolute-url that cause the server to proxy connections to arbitrary destinations, potentially exposing sensitive internal services or cloud metadata endpoints. How to fix Server-side Request Forgery (SSRF)? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.4.13-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
M Cross-site Scripting (XSS) next is a react framework. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the `beforeInteractive` process, when untrusted input is embedded without proper escaping. An attacker can execute arbitrary JavaScript in a user's browser by injecting malicious content into the serialized script. How to fix Cross-site Scripting (XSS)? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Allocation of Resources Without Limits or Throttling next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Image Optimization API when handling requests to the `/_next/image` endpoint that match the `images.localPatterns` configuration. An attacker can exhaust server memory and cause a denial of service by requesting large local assets, leading to out-of-memory conditions. Note: This is only exploitable if the default image loader is used and the `images.localPatterns` configuration allows access to large local files. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=10.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Authentication Bypass Using an Alternate Path or Channel next is a react framework. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via dynamic full-route RSC requests in the deployment adapter. An attacker can gain unauthorized access to protected content by injecting a URL with query params that got misclassified by the `onCacheEntryV2` callback as HTML, bypassing expected authorization checks. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=15.4.0-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Allocation of Resources Without Limits or Throttling next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling involving Partial Prerendering in the Cache Components feature. An attacker can exhaust the connection pool by sending malicious POST requests that cause a deadlock. This, in turn, causes connections to be left open and consumes file descriptors and server capacity. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=15.0.0-rc.0 <15.5.16>=16.0.0-beta.0 <16.2.5
M Use of Weak Hash next is a react framework. Affected versions of this package are vulnerable to Use of Weak Hash via collisions in the `_rsc` cache-busting process. An attacker can manipulate cache entries by crafting requests that cause shared caches to serve incorrect response variants to users. This is only exploitable if deployments rely on shared caches with insufficient response partitioning. How to fix Use of Weak Hash? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.4.6-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
M Interpretation Conflict next is a react framework. Affected versions of this package are vulnerable to Interpretation Conflict via improper handling of shared cache entries for React Server Component responses. An attacker can cause unintended component payloads to be served to other users by manipulating shared cache behavior through crafted requests. How to fix Interpretation Conflict? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=14.2.0-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5
M Acceptance of Extraneous Untrusted Data With Trusted Data next is a react framework. Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the improper handling of the `x-nextjs-data` header in middleware or proxy redirect responses. An attacker can disrupt access to redirect paths by injecting this header in requests, causing the middleware to generate a redirect response lacking a standard `Location` header. If a CDN or reverse proxy caches this malformed response without varying on the injected header, subsequent users may receive unusable redirects, resulting in service disruption until the cache is cleared. How to fix Acceptance of Extraneous Untrusted Data With Trusted Data? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=12.2.0 <15.5.16>=16.0.0-beta.0 <16.2.5
H Allocation of Resources Without Limits or Throttling next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via server function endpoints. An attacker can cause out-of-memory exceptions or induce excessive CPU usage by sending malicious `FormData` in an HTTP request. Note: Only React apps that use React Server Components are vulnerable. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `next` to version 15.5.16, 16.2.5 or higher.	>=13.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Vulnerability

Vulnerable Version

Authentication Bypass Using an Alternate Path or Channel

next is a react framework.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the middleware.ts with Turbopack enabled. An attacker can gain unauthorized access to protected resources by bypassing authentication mechanisms through specially crafted segment-prefetch routes.

Note: This vulnerability relates to the incomplete fix of CVE-2026-44575

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade next to version 15.5.18, 16.2.6 or higher.

>=15.2.0-canary.0 <15.5.18>=16.0.0-beta.0 <16.2.6

Authentication Bypass Using an Alternate Path or Channel

next is a react framework.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the handling of segment-prefetch routes. An attacker can gain unauthorized access to protected content by crafting .rsc and segment-prefetch URLs that bypass intended authorization checks in middleware or proxy-based configurations.

Notes:

This is only exploitable if authorization is enforced solely through middleware or proxy checks, and not within the underlying route or page logic.
This fix is incomplete and does not cover middleware.ts with Turbopack enabled. For additional details see CVE-2026-45109

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=15.2.0-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Cross-site Scripting (XSS)

next is a react framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the CSP nonce headers. An attacker can inject malicious scripts into cached HTML responses by supplying malformed nonce values, which may then be executed in the browsers of subsequent visitors. This is possible when applications are deployed behind shared caches and rely on request-derived nonce values.

How to fix Cross-site Scripting (XSS)?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.4.13-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Incorrect Authorization

next is a react framework.

Affected versions of this package are vulnerable to Incorrect Authorization in the /_next/data/<buildId>/<page>.json route when i18n is configured and authorization is enforced via middleware or proxy. An attacker can gain unauthorized access to sensitive server-side-rendered JSON data for protected pages by making locale-less requests that bypass the intended authorization checks.

How to fix Incorrect Authorization?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=12.2.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Server-side Request Forgery (SSRF)

next is a react framework.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via crafted WebSocket upgrade requests. An attacker can access internal or external resources by sending specially crafted requests with absolute-url that cause the server to proxy connections to arbitrary destinations, potentially exposing sensitive internal services or cloud metadata endpoints.

How to fix Server-side Request Forgery (SSRF)?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.4.13-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Cross-site Scripting (XSS)

next is a react framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the beforeInteractive process, when untrusted input is embedded without proper escaping. An attacker can execute arbitrary JavaScript in a user's browser by injecting malicious content into the serialized script.

How to fix Cross-site Scripting (XSS)?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Allocation of Resources Without Limits or Throttling

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Image Optimization API when handling requests to the /_next/image endpoint that match the images.localPatterns configuration. An attacker can exhaust server memory and cause a denial of service by requesting large local assets, leading to out-of-memory conditions.

Note: This is only exploitable if the default image loader is used and the images.localPatterns configuration allows access to large local files.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=10.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Authentication Bypass Using an Alternate Path or Channel

next is a react framework.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via dynamic full-route RSC requests in the deployment adapter. An attacker can gain unauthorized access to protected content by injecting a URL with query params that got misclassified by the onCacheEntryV2 callback as HTML, bypassing expected authorization checks.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=15.4.0-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Allocation of Resources Without Limits or Throttling

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling involving Partial Prerendering in the Cache Components feature. An attacker can exhaust the connection pool by sending malicious POST requests that cause a deadlock. This, in turn, causes connections to be left open and consumes file descriptors and server capacity.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=15.0.0-rc.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Use of Weak Hash

next is a react framework.

Affected versions of this package are vulnerable to Use of Weak Hash via collisions in the _rsc cache-busting process. An attacker can manipulate cache entries by crafting requests that cause shared caches to serve incorrect response variants to users. This is only exploitable if deployments rely on shared caches with insufficient response partitioning.

How to fix Use of Weak Hash?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.4.6-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Interpretation Conflict

next is a react framework.

Affected versions of this package are vulnerable to Interpretation Conflict via improper handling of shared cache entries for React Server Component responses. An attacker can cause unintended component payloads to be served to other users by manipulating shared cache behavior through crafted requests.

How to fix Interpretation Conflict?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=14.2.0-canary.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Acceptance of Extraneous Untrusted Data With Trusted Data

next is a react framework.

Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the improper handling of the x-nextjs-data header in middleware or proxy redirect responses. An attacker can disrupt access to redirect paths by injecting this header in requests, causing the middleware to generate a redirect response lacking a standard Location header. If a CDN or reverse proxy caches this malformed response without varying on the injected header, subsequent users may receive unusable redirects, resulting in service disruption until the cache is cleared.

How to fix Acceptance of Extraneous Untrusted Data With Trusted Data?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=12.2.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Allocation of Resources Without Limits or Throttling

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via server function endpoints. An attacker can cause out-of-memory exceptions or induce excessive CPU usage by sending malicious FormData in an HTTP request.

Note: Only React apps that use React Server Components are vulnerable.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade next to version 15.5.16, 16.2.5 or higher.

>=13.0.0 <15.5.16>=16.0.0-beta.0 <16.2.5

next@16.2.3

The React Framework

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically