next-15.1.5.tgz: 7 vulnerabilities (highest severity is: 9.1) #152
Description
Vulnerable Library - next-15.1.5.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity | Dependency | Type | Fixed in (next version) | Remediation Possible** | |
|---|---|---|---|---|---|---|
| CVE-2025-29927 | 9.1 | next-15.1.5.tgz | Direct | 15.2.3 | ❌ | |
| CVE-2025-49826 | 7.5 | next-15.1.5.tgz | Direct | 15.1.8 | ❌ | |
| CVE-2025-57822 | 6.5 | next-15.1.5.tgz | Direct | 15.4.7 | ❌ | |
| CVE-2025-57752 | 6.2 | next-15.1.5.tgz | Direct | 15.4.5 | ❌ | |
| CVE-2025-55173 | 4.3 | next-15.1.5.tgz | Direct | 15.4.5 | ❌ | |
| CVE-2025-48068 | 4.3 | next-15.1.5.tgz | Direct | 15.2.2 | ❌ | |
| CVE-2025-32421 | 3.7 | next-15.1.5.tgz | Direct | 15.1.6 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-29927
Vulnerable Library - next-15.1.5.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ next-15.1.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.
Publish Date: 2025-03-21
URL: CVE-2025-29927
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-f82v-jwr5-mffw
Release Date: 2025-03-21
Fix Resolution: 15.2.3
Step up your Open Source Security Game with Mend here
CVE-2025-49826
Vulnerable Library - next-15.1.5.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ next-15.1.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. From versions 15.1.0 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-03
URL: CVE-2025-49826
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-67rr-84xm-4c7r
Release Date: 2025-07-03
Fix Resolution: 15.1.8
Step up your Open Source Security Game with Mend here
CVE-2025-57822
Vulnerable Library - next-15.1.5.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ next-15.1.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js Middleware versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-08-29
URL: CVE-2025-57822
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-4342-x723-ch2f
Release Date: 2025-08-29
Fix Resolution: 15.4.7
Step up your Open Source Security Game with Mend here
CVE-2025-57752
Vulnerable Library - next-15.1.5.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ next-15.1.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
Publish Date: 2025-08-29
URL: CVE-2025-57752
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-g5qg-72qw-gw5v
Release Date: 2025-08-29
Fix Resolution: 15.4.5
Step up your Open Source Security Game with Mend here
CVE-2025-55173
Vulnerable Library - next-15.1.5.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ next-15.1.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
Publish Date: 2025-08-29
URL: CVE-2025-55173
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-xv57-4mr9-wg8v
Release Date: 2025-08-29
Fix Resolution: 15.4.5
Step up your Open Source Security Game with Mend here
CVE-2025-48068
Vulnerable Library - next-15.1.5.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ next-15.1.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Summary This vulnerability is similar to CVE-2018-14732. When running a Next.js server locally (e.g. through "npm run dev"), the WebSocket server is vulnerable to the Cross-site WebSocket hijacking (CSWSH) attack. and a bad actor can access the source code of client components, if a user was to visit a malicious link while having the Next.js dev server running. Impact If a user is running a Next.js server locally (e.g. "npm run dev"), and they were to browse to a malicious website, the malicious website may be able to access the source code of the Next.js app. This vulnerability only affects applications making use of App Router. Note: App Router was experimental requiring "experimental.appDir = true" in versions ">=13.0.0" to "<13.4".
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-05-30
URL: CVE-2025-48068
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-05-30
Fix Resolution: 15.2.2
Step up your Open Source Security Game with Mend here
CVE-2025-32421
Vulnerable Library - next-15.1.5.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.1.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ next-15.1.5.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve "pageProps" data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the "x-now-route-matches" header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on "200 OK" status without explicit "cache-control" headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the "x-now-route-matches" header from all incoming requests at the content development network and setting "cache-control: no-store" for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-05-14
URL: CVE-2025-32421
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-qpjv-v59x-3qc4
Release Date: 2025-05-14
Fix Resolution: 15.1.6
Step up your Open Source Security Game with Mend here