cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-56332,https://securityvulnerability.io/vulnerability/CVE-2024-56332,Denial of Service Vulnerability in Next.js Framework by Vercel,"The Next.js framework, developed by Vercel, has a vulnerability that allows attackers to exploit long-running requests targeting Server Actions, leading to Denial of Service (DoS) conditions. This situation arises when requests are crafted in such a manner that they hang without completing, which can be particularly disruptive in environments where hosting costs are tied to response times. Deployments that do not enforce protections against prolonged Server Actions may face increased risks, especially where hosting platforms like Vercel and Netlify impose limitations on execution duration to mitigate resource-heavy requests. The vulnerability impacts all Next.js versions from 13.0.0 to earlier versions of 13.5.8, as well as various versions up to 15.1.2, emphasizing the urgent need for users to upgrade to safeguarded iterations.",Vercel,,,,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-03T21:15:00.000Z,140
CVE-2024-51479,https://securityvulnerability.io/vulnerability/CVE-2024-51479,Authorization Bypass Vulnerability in Next.js Framework,"CVE-2024-51479 is a critical vulnerability affecting the Next.js framework, which is widely used for building full-stack web applications. In versions prior to 14.2.15, a flaw exists in the authorization mechanism within middleware where pathname-based authorization can be bypassed. This means unauthorized users may access pages directly under the application's root directory, compromising the integrity of web applications. Next.js applications hosted on Vercel have automatic mitigation against this vulnerability, ensuring that even older versions are protected. No official workarounds are available; thus, updating to version 14.2.15 or later is strongly recommended to safeguard against potential exploits.",Vercel,,,,0.0004299999854993075,false,,true,false,true,2024-12-26T10:42:42.000Z,,false,false,,2024-12-17T19:15:00.000Z,530
CVE-2024-47831,https://securityvulnerability.io/vulnerability/CVE-2024-47831,Potential Denial of Service (DoS) Vulnerability in Image Optimization Feature Affects Next.js Versions,"Next.js is a widely-used React Framework for building web applications. Certain versions of Next.js, specifically the 10.x to 14.x branches prior to version 14.2.7, contain a vulnerability related to the image optimization feature. This flaw could potentially lead to a Denial of Service (DoS) condition by causing excessive CPU consumption. Users configuring the `next.config.js` file with `images.unoptimized` set to `true`, or using a non-default value for `images.loader`, or hosting their Next.js application on Vercel are not impacted by this issue. The vulnerability has been addressed in Next.js version 14.2.7. To mitigate risks, it is essential for users to adjust their configuration settings appropriately.",Vercel,Next.js,7.5,HIGH,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-10-14T18:15:00.000Z,0
CVE-2024-46982,https://securityvulnerability.io/vulnerability/CVE-2024-46982,Next.js vulnerability: Poisoned cache could expose sensitive data,"A cache poisoning vulnerability exists in the Next.js framework, which is widely used for building full-stack web applications. This vulnerability allows an attacker to send a specially crafted HTTP request that can manipulate the cache of non-dynamic server-side rendered routes. Specifically, it affects routes handled by the pages router when configured incorrectly, enabling the caching of content that should remain uncached. Affected versions, from 13.5.1 to 14.2.9, may inadvertently send a `Cache-Control: s-maxage=1, stale-while-revalidate` header, which may influence upstream Content Delivery Networks (CDNs) to cache responses. The only resolution to mitigate this issue is to upgrade to Next.js versions 13.5.7, 14.2.10, or later. Users are encouraged to apply the patch without delay, as there are no recommended workarounds available.",Vercel,Next.js,7.5,HIGH,0.00044999999227002263,false,,true,false,true,2024-12-14T18:14:01.000Z,true,true,false,,2024-09-17T22:15:00.000Z,8028
CVE-2024-39693,https://securityvulnerability.io/vulnerability/CVE-2024-39693,Denial of Service Condition in Next.js Framework,"A critical Denial of Service (DoS) vulnerability has been identified in Next.js, a widely-used React framework. This bug can lead to a server crash, severely affecting the availability and performance of applications built using this framework. The vulnerability was addressed in Next.js version 13.5 and later. Users are strongly advised to update to the latest version to mitigate the risks associated with this vulnerability. For further details, please refer to the advisory on the Vercel GitHub page.",Vercel,Next.js,7.5,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-10T19:54:10.773Z,0
CVE-2024-34351,https://securityvulnerability.io/vulnerability/CVE-2024-34351,Server-Side Request Forgery (SSRF) vulnerability in Next.js Server Actions,"A vulnerability has been identified in the Next.js framework that allows Server-Side Request Forgery (SSRF) under specific conditions. This flaw arises when the 'Host' header is modified in a self-hosted Next.js environment. Particularly, if the application utilizes Server Actions and those actions perform redirects to relative paths starting with '/', an attacker could exploit this by making requests that seem to originate from the Next.js application server itself. The issue has been addressed and fixed in version 14.1.1 of Next.js.",Vercel,Next.js,7.5,HIGH,0.001019999966956675,false,,true,false,true,2024-05-11T05:39:10.000Z,true,true,true,2024-05-10T11:52:02.702Z,2024-05-14T15:38:00.000Z,17162
CVE-2024-34350,https://securityvulnerability.io/vulnerability/CVE-2024-34350,Next.js resolves response queue poisoning vulnerability in affected versions,"Two new vulnerabilities have been discovered in Next.js, related to response queue poisoning and SSRF on certain Next.js versions. The response queue poisoning vulnerability can manipulate a front-end server and map wrong back-end responses, while the SSRF vulnerability occurs when the server is called by a redirect and takes the host header from the client, potentially leading to an SSRF vulnerability. These vulnerabilities have been patched in Next.js versions 13.5.1 and 14.x to prevent exploitation. No known ransomware cases related to the vulnerabilities have been reported.",Vercel,Next.js,7.5,HIGH,0.0004299999854993075,false,,true,false,false,,,false,false,,2024-05-14T15:38:00.000Z,0
CVE-2024-24828,https://securityvulnerability.io/vulnerability/CVE-2024-24828,Predictable Package Names in pkg Lead to Security Risks,"The pkg tool from Vercel, intended for bundling Node.js projects into executable files, exposes a vulnerability due to its use of a hardcoded directory on Unix systems, specifically `/tmp/pkg/*`. This shared directory lacks uniqueness for package names, making it predictable and susceptible to exploitation. If an attacker gains access to the local system, they can substitute legitimate executables with malicious ones of the same name, which users may unknowingly execute. The pkg tool is deprecated and will not receive patches for this vulnerability. Users are advised to check if their executables rely on native code and utilize the `/tmp/pkg/` directory. Transitioning to actively maintained alternatives, such as Node.js 21’s single executable applications support, is strongly recommended for enhanced security.",vercel,pkg,7.8,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-02-09T22:21:04.933Z,0
CVE-2023-46298,https://securityvulnerability.io/vulnerability/CVE-2023-46298,Denial of Service Vulnerability in Next.js by Vercel,"Next.js prior to version 13.4.20-canary.13 contains a vulnerability due to the absence of a cache-control header, which can lead to empty prefetch responses being cached by Content Delivery Networks (CDNs). This caching behavior may inadvertently cause a denial of service for users attempting to access the same URL via the CDN, resulting in interruptions in service and accessibility issues.",Vercel,Next.js,7.5,HIGH,0.0007099999929778278,false,,false,false,false,,,false,false,,2023-10-22T03:15:00.000Z,0
CVE-2017-20162,https://securityvulnerability.io/vulnerability/CVE-2017-20162,vercel ms index.js parse redos,"A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.",Vercel,Ms,4.3,MEDIUM,0.0017900000093504786,false,,false,false,false,,,false,false,,2023-01-05T11:49:24.249Z,0
CVE-2022-36046,https://securityvulnerability.io/vulnerability/CVE-2022-36046,Unexpected server crash in Next.js version 12.2.3,"Next.js is a React framework that can provide building blocks to create web applications. All of the following must be true to be affected by this CVE: Next.js version 12.2.3, Node.js version above v15.0.0 being used with strict `unhandledRejection` exiting AND using next start or a [custom server](https://nextjs.org/docs/advanced-features/custom-server). Deployments on Vercel ([vercel.com](https://vercel.com/)) are not affected along with similar environments where `next-server` isn't being shared across requests.",Vercel,Next.js,5.3,MEDIUM,0.0007600000244565308,false,,false,false,false,,,false,false,,2022-08-31T18:55:09.000Z,0
CVE-2022-23646,https://securityvulnerability.io/vulnerability/CVE-2022-23646,Improper CSP in Image Optimization API for Next.js,"Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.",Vercel,Next.js,5.9,MEDIUM,0.001829999964684248,false,,false,false,false,,,false,false,,2022-02-17T20:35:12.000Z,0
CVE-2022-21721,https://securityvulnerability.io/vulnerability/CVE-2022-21721,DOS Vulnerability in next.js,"Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, `next@12.0.9`, that mitigates this issue. As a workaround, one may ensure `/${locale}/_next/` is blocked from reaching the Next.js instance until it becomes feasible to upgrade.",Vercel,Next.js,5.9,MEDIUM,0.0017099999822676182,false,,false,false,false,,,false,false,,2022-01-28T22:00:17.000Z,0
CVE-2021-43803,https://securityvulnerability.io/vulnerability/CVE-2021-43803,Unexpected server crash in Next.js,"Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue.",Vercel,Next.js,7.5,HIGH,0.0030900000128895044,false,,false,false,false,,,false,false,,2021-12-10T00:15:00.000Z,0
CVE-2021-39178,https://securityvulnerability.io/vulnerability/CVE-2021-39178,XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0,"Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.",Vercel,Next.js,7.5,HIGH,0.0006200000061653554,false,,false,false,false,,,false,false,,2021-08-31T00:15:00.000Z,0
CVE-2021-37699,https://securityvulnerability.io/vulnerability/CVE-2021-37699,Open Redirect in Next.js versions below 11.1.0,"Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain. We recommend everyone to upgrade regardless of whether you can reproduce the issue or not. The issue has been patched in release 11.1.0.",Vercel,Next.js,6.9,MEDIUM,0.0006200000061653554,false,,false,false,false,,,false,false,,2021-08-12T00:15:00.000Z,0
CVE-2020-15242,https://securityvulnerability.io/vulnerability/CVE-2020-15242,Open Redirect in Next.js,"Next.js versions >=9.5.0 and <9.5.4 are vulnerable to an Open Redirect. Specially encoded paths could be used with the trailing slash redirect to allow an open redirect to occur to an external site. In general, this redirect does not directly harm users although can allow for phishing attacks by redirecting to an attackers domain from a trusted domain. The issue is fixed in version 9.5.4.",Vercel,Next.js,4.7,MEDIUM,0.0006200000061653554,false,,false,false,false,,,false,false,,2020-10-08T19:50:12.000Z,0
CVE-2015-8315,https://securityvulnerability.io/vulnerability/CVE-2015-8315,,"The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a ""regular expression denial of service (ReDoS).""",Vercel,Ms,7.5,HIGH,0.0018400000408291817,false,,false,false,false,,,false,false,,2017-01-23T21:00:00.000Z,0