Next.js Support & Health

GHSA-223j-4rm8-mrmf CVSS_V4

Next.js may leak x-middleware-subrequest-id to external hosts

Published: 2025-04-02 Fixed in: 12.3.6

GHSA-25mp-g6fv-mqxx CVSS_V3

Unexpected server crash in Next.js.

Published: 2021-12-07 Fixed in: 12.0.5

GHSA-267c-6grr-h53f CVSS_V3

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes

Published: 2026-05-11 Fixed in: 15.5.16

GHSA-26hh-7cqf-hhc6 CVSS_V3

Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up

Published: 2026-05-11 Fixed in: 15.5.18

GHSA-36qx-fr4f-26g5 CVSS_V3

Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n

Published: 2026-05-11 Fixed in: 15.5.16

GHSA-3f5c-4qxj-vmpf CVSS_V3

Next.js Directory Traversal Vulnerability

Published: 2017-12-05 Fixed in: 2.4.1

GHSA-3g8h-86w9-wvmq CVSS_V3

Next.js's Middleware / Proxy redirects can be cache-poisoned

Published: 2026-05-11 Fixed in: 15.5.16

GHSA-3h52-269p-cp9r CVSS_V4

Information exposure in Next.js dev server due to lack of origin verification

Published: 2025-05-28 Fixed in: 15.2.2

GHSA-3x4c-7xq6-9pq8 CVSS_V4

Next.js: Unbounded next/image disk cache growth can exhaust storage

Published: 2026-03-17 Fixed in: 16.1.7

GHSA-4342-x723-ch2f CVSS_V3

Next.js Improper Middleware Redirect Handling Leads to SSRF

Published: 2025-08-29 Fixed in: 14.2.32

Next.js