AI description
CVE-2026-44575 is a vulnerability impacting Next.js App Router applications, enabling attackers to bypass middleware and proxy-based authorization checks. This flaw allows unauthorized access to protected content and potentially sensitive application data. The bypass is achieved by crafting specially formed `.rsc` and `segment-prefetch` URLs that can reach restricted content without triggering the intended security rules. To address this, users are advised to upgrade to Next.js versions 15.5.16 or 16.2.5 or later.
- Description
- Next.js is a React framework for building full-stack web applications. From 15.2.0 to before 15.5.16 and 16.2.5, App Router applications that rely on middleware or proxy-based checks for authorization can allow unauthorized access through transport-specific route variants used for segment prefetching. In affected configurations, specially crafted .rsc and segment-prefetch URLs can resolve to the same page without being matched by the intended middleware rule, which can allow protected content to be reached without the expected authorization check. This vulnerability is fixed in 15.5.16 and 16.2.5.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- next.js
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-288
- Hype score
- Not currently trending
直近のNext.jsのリリースで対応された脆弱性は記事を見るにこのあたりのことかな👀 CVE-2026-44574 CVE-2026-44575 CVE-2026-23870 CVE-2026-44578 CVE-2026-44579 Multiple Critical Vulnerabilities Patched in Next.js and React Server Components https://
@oTheRwoRldy
14 May 2026
260 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 High - Next.js Multiple Vulnerabilities (CVE-2026-44573, CVE-2026-44574, CVE-2026-44575, CVE-2026-44578, CVE-2026-44579, CVE-2026-45109) Multiple issues were identified in Next.js affecting App Router, Pages Router, Server Components, WebSockets, and caching mechanisms. The
@UpwindMDR
11 May 2026
91 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Next.js v16.2.4 Security PoC Collection CVE-2026-23870 CVE-2026-44575 CVE-2026-44579 CVE-2026-44574 CVE-2026-44578 CVE-2026-44573 CVE-2026-44581 CVE-2026-44580 CVE-2026-44577 CVE-2026-44576 CVE-2026-44582 CVE-2026-44572 https://t.co/255KwkLd0c via: Pr0xy
@Psycho10k_
11 May 2026
1975 Impressions
8 Retweets
43 Likes
28 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1FD97234-D521-4480-A0DA-785AAEFA8629",
"versionEndExcluding": "15.5.16",
"versionStartIncluding": "15.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A",
"versionEndExcluding": "16.2.5",
"versionStartIncluding": "16.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]