Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: next
- Introduced through: next@16.0.7
Detailed paths
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › next@16.0.7Remediation: Upgrade to next@16.0.9.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of payloads from HTTP requests to Server Function endpoints. An attacker can cause the server process to enter an infinite loop and hang, preventing it from serving future HTTP requests by sending specially crafted payloads.
Notes:
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.
For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.
If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native. See this issue for more information.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade next to version 14.2.34, 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 16.0.9, 16.1.0-canary.19 or higher.
References
high severity
- Vulnerable module: next
- Introduced through: next@16.0.7
Detailed paths
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › next@16.0.7Remediation: Upgrade to next@16.1.5.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the fetchExternalImage() function, which is used for image optimization and loads external images into memory without a maximum size limit. An attacker can exhaust system memory and disrupt service availability by requesting optimization of very large images from external domains.
Note:
This is only exploitable if remotePatterns is configured to allow image optimization from external domains and the attacker can serve or control a large image on an allowed domain.
Remediation
Upgrade next to version 15.5.10, 16.1.1-canary.15, 16.1.5 or higher.
References
high severity
- Vulnerable module: next
- Introduced through: next@16.0.7
Detailed paths
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › next@16.0.7Remediation: Upgrade to next@16.1.5.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Partial Prerendering resume endpoint when unauthenticated POST requests with the Next-Resume: 1 header are processed and attacker-controlled postponed state data is handled. An attacker can cause the server process to crash and exhaust system memory by sending large or highly compressed payloads that are buffered or decompressed without size limits.
Note:
This is only exploitable if the application is running with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.
Remediation
Upgrade next to version 15.6.0-canary.61, 16.1.1-canary.16, 16.1.5 or higher.
References
medium severity
new
- Vulnerable module: next
- Introduced through: next@16.0.7
Detailed paths
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › next@16.0.7Remediation: Upgrade to next@16.1.7.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of an upper bound on the disk cache used by the image optimization. An attacker can exhaust disk storage by generating a large number of unique image optimization variants, leading to service disruption.
Workaround
This vulnerability can be mitigated by periodically cleaning the .next/cache/images directory or by reducing the number of possible image variants through configuration of images.localPatterns, images.remotePatterns, and images.qualities.
Remediation
Upgrade next to version 16.1.7, 16.2.0-canary.54 or higher.
References
medium severity
- Vulnerable module: next
- Introduced through: next@16.0.7
Detailed paths
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › next@16.0.7Remediation: Upgrade to next@16.0.9.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere. An attacker can access the source code of any Server Function by sending a malicious HTTP request to a vulnerable Server Function.
Notes:
This is only exploitable if a Server Function exists that explicitly or implicitly exposes a stringified argument:
'use server';
export async function serverFunction(name) {
const conn = db.createConnection('SECRET KEY');
const user = await conn.createUser(name); // implicitly stringified, leaked in db
return {
id: user.id,
message: `Hello, ${name}!` // explicitly stringified, leaked in reply
}}
An attacker may be able to leak the following:
0:{"a":"$@1","f":"","b":"Wy43RxUKdxmr5iuBzJ1pN"}
1:{"id":"tva1sfodwq","message":"Hello, async function(a){console.log(\"serverFunction\");let b=i.createConnection(\"SECRET KEY\");return{id:(await b.createUser(a)).id,message:`Hello, ${a}!`}}!"}
Secrets hardcoded in source code may be exposed, but runtime secrets such as process.env.SECRET are not affected.
The scope of the exposed code is limited to the code inside the Server Function, which may include other functions depending on the amount of inlining your bundler provides.
Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
If your app’s React code does not use a server, your app is not affected by these vulnerabilities. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by these vulnerabilities.
For React Native users not using a monorepo or react-dom, your react version should be pinned in your package.json, and there are no additional steps needed.
If you are using React Native in a monorepo, you should update only the impacted packages if they are installed: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack. This is required to mitigate the security advisories, but you do not need to update react and react-dom so this will not cause the version mismatch error in React Native. See this issue for more information.
Remediation
Upgrade next to version 15.0.6, 15.1.10, 15.2.7, 15.3.7, 15.4.9, 15.5.8, 16.0.9, 16.1.0-canary.19 or higher.
References
medium severity
new
- Vulnerable module: next
- Introduced through: next@16.0.7
Detailed paths
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › next@16.0.7Remediation: Upgrade to next@16.1.7.
Overview
next is a react framework.
Affected versions of this package are vulnerable to HTTP Request Smuggling during the rewrite of the proxy traffic to an external backend. An attacker can access unintended backend routes by sending crafted DELETE or OPTIONS requests with Transfer-Encoding: chunked headers. This is only exploitable if the application is not hosted on providers that handle rewrites at the CDN level.
Workaround
This vulnerability can be mitigated by blocking chunked DELETE/OPTIONS requests on rewritten routes at the edge/proxy, or by enforcing authentication and authorization on backend routes.
Remediation
Upgrade next to version 15.5.13, 16.1.7, 16.2.0-canary.102 or higher.
References
medium severity
new
- Vulnerable module: next
- Introduced through: next@16.0.7
Detailed paths
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › next@16.0.7Remediation: Upgrade to next@16.1.7.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the uncaught origin: null in the Server Action CSRF validation. An attacker can perform unauthorized state-changing actions on behalf of a user by inducing the user's browser to submit requests from a sandboxed context, bypassing origin verification.
Workaround
This vulnerability can be mitigated by adding CSRF tokens for sensitive Server Actions, preferring SameSite=Strict on sensitive authentication cookies, and ensuring that null is not allowed in serverActions.allowedOrigins unless intentionally required and additionally protected.
Remediation
Upgrade next to version 16.1.7, 16.2.0-canary.102 or higher.
References
medium severity
- Vulnerable module: @tootallnate/once
- Introduced through: @google-cloud/storage@7.19.0
Detailed paths
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › @google-cloud/storage@7.19.0 › teeny-request@9.0.0 › http-proxy-agent@5.0.0 › @tootallnate/once@2.0.0
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › @google-cloud/storage@7.19.0 › retry-request@7.0.2 › teeny-request@9.0.0 › http-proxy-agent@5.0.0 › @tootallnate/once@2.0.0
Overview
Affected versions of this package are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
Remediation
Upgrade @tootallnate/once to version 3.0.1 or higher.
References
low severity
new
- Vulnerable module: next
- Introduced through: next@16.0.7
Detailed paths
-
Introduced through: bucketbrowser@alexbrand/bucketbrowser#ed9313964625208b0d766c07eef74a10b4c725ad › next@16.0.7Remediation: Upgrade to next@16.1.7.
Overview
next is a react framework.
Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets in the internal dev endpoint when the Origin header is set to null. An attacker can interact with internal development websocket traffic by connecting from privacy-sensitive or opaque contexts, such as sandboxed documents, if the development server is accessible from attacker-controlled content.
Remediation
Upgrade next to version 16.1.7, 16.2.0-canary.102 or higher.