Acceptance of Extraneous Untrusted Data With Trusted Data in next | CVE-2026-44572

Q: How to fix?

Upgrade next to version 15.5.16, 16.2.5 or higher.

Introduced: 11 May 2026

NewCVE-2026-44572 (opens in a new tab) CWE-349 (opens in a new tab)

How to fix?

Upgrade next to version 15.5.16, 16.2.5 or higher.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the improper handling of the x-nextjs-data header in middleware or proxy redirect responses. An attacker can disrupt access to redirect paths by injecting this header in requests, causing the middleware to generate a redirect response lacking a standard Location header. If a CDN or reverse proxy caches this malformed response without varying on the injected header, subsequent users may receive unusable redirects, resulting in service disruption until the cache is cleared.

Workaround

This vulnerability can be mitigated by configuring the CDN or reverse proxy to vary its cache key on x-nextjs-data for affected responses.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Acceptance of Extraneous Untrusted Data With Trusted Data Affecting next package, versions >=12.2.0 <15.5.16>=16.0.0-beta.0 <16.2.5

Severity

Do your applications use this vulnerable package?