Vulnerabilities

 15 via 15 paths

Dependencies

 141

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 9
  • 5
  • 1
Status
  • 15
  • 0
  • 0

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.3.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the createMap, createSet, and extractIterator functions in packages/react-server/src/ReactFlightReplyServer.js. An attacker can crash the server by supplying a model that contains cyclic reference and is consumed more than once during React Server Components decoding. The repeated consumption triggers an exception during reply processing, breaking rendering for requests that handle attacker-controlled Flight payloads.

Remediation

Upgrade next to version 15.5.15, 16.2.3 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via server function endpoints. An attacker can cause out-of-memory exceptions or induce excessive CPU usage by sending malicious FormData in an HTTP request.

Note: Only React apps that use React Server Components are vulnerable.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling involving Partial Prerendering in the Cache Components feature. An attacker can exhaust the connection pool by sending malicious POST requests that cause a deadlock. This, in turn, causes connections to be left open and consumes file descriptors and server capacity.

Workaround

This vulnerability can be mitigated by blocking requests containing the next-resume header at the edge.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Authentication Bypass Using an Alternate Path or Channel

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the handling of segment-prefetch routes. An attacker can gain unauthorized access to protected content by crafting .rsc and segment-prefetch URLs that bypass intended authorization checks in middleware or proxy-based configurations.

Notes:

  • This is only exploitable if authorization is enforced solely through middleware or proxy checks, and not within the underlying route or page logic.
  • This fix is incomplete and does not cover middleware.ts with Turbopack enabled. For additional details see CVE-2026-45109

Workaround

This vulnerability can be mitigated by enforcing authorization within the underlying route or page logic rather than relying solely on middleware.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Authentication Bypass Using an Alternate Path or Channel vulnerability report

high severity
new

Authentication Bypass Using an Alternate Path or Channel

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.6.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the middleware.ts with Turbopack enabled. An attacker can gain unauthorized access to protected resources by bypassing authentication mechanisms through specially crafted segment-prefetch routes.

Note: This vulnerability relates to the incomplete fix of CVE-2026-44575

Remediation

Upgrade next to version 15.5.18, 16.2.6 or higher.

References

Authentication Bypass Using an Alternate Path or Channel vulnerability report

high severity
new

Authentication Bypass Using an Alternate Path or Channel

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via dynamic full-route RSC requests in the deployment adapter. An attacker can gain unauthorized access to protected content by injecting a URL with query params that got misclassified by the onCacheEntryV2 callback as HTML, bypassing expected authorization checks.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Authentication Bypass Using an Alternate Path or Channel vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Image Optimization API when handling requests to the /_next/image endpoint that match the images.localPatterns configuration. An attacker can exhaust server memory and cause a denial of service by requesting large local assets, leading to out-of-memory conditions.

Note: This is only exploitable if the default image loader is used and the images.localPatterns configuration allows access to large local files.

Workaround

This vulnerability can be mitigated by disabling routing of large local assets through /_next/image, disabling image optimization for large or untrusted local files, blocking image optimization access to those assets at the edge, or setting images.localPatterns: [] in the configuration.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Incorrect Authorization

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Incorrect Authorization in the /_next/data/<buildId>/<page>.json route when i18n is configured and authorization is enforced via middleware or proxy. An attacker can gain unauthorized access to sensitive server-side-rendered JSON data for protected pages by making locale-less requests that bypass the intended authorization checks.

Workaround

This vulnerability can be mitigated by enforcing authorization within the page's server-side data path rather than relying solely on middleware.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Incorrect Authorization vulnerability report

high severity
new

Server-side Request Forgery (SSRF)

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via crafted WebSocket upgrade requests. An attacker can access internal or external resources by sending specially crafted requests with absolute-url that cause the server to proxy connections to arbitrary destinations, potentially exposing sensitive internal services or cloud metadata endpoints.

Workaround

This vulnerability can be mitigated by not exposing the origin server directly to untrusted networks, blocking WebSocket upgrades at the reverse proxy or load balancer if not required, and restricting origin egress to internal networks and metadata services where possible.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report

medium severity
new

Acceptance of Extraneous Untrusted Data With Trusted Data

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the improper handling of the x-nextjs-data header in middleware or proxy redirect responses. An attacker can disrupt access to redirect paths by injecting this header in requests, causing the middleware to generate a redirect response lacking a standard Location header. If a CDN or reverse proxy caches this malformed response without varying on the injected header, subsequent users may receive unusable redirects, resulting in service disruption until the cache is cleared.

Workaround

This vulnerability can be mitigated by configuring the CDN or reverse proxy to vary its cache key on x-nextjs-data for affected responses.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability report

medium severity
new

Interpretation Conflict

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Interpretation Conflict via improper handling of shared cache entries for React Server Component responses. An attacker can cause unintended component payloads to be served to other users by manipulating shared cache behavior through crafted requests.

Workaround

This vulnerability can be mitigated by ensuring your CDN or reverse proxy keys on the relevant RSC request headers honor Vary, or by disabling shared caching for affected App Router and RSC responses.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Interpretation Conflict vulnerability report

medium severity
new

Use of Weak Hash

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Use of Weak Hash via collisions in the _rsc cache-busting process. An attacker can manipulate cache entries by crafting requests that cause shared caches to serve incorrect response variants to users. This is only exploitable if deployments rely on shared caches with insufficient response partitioning.

Workaround

This vulnerability can be mitigated by ensuring intermediary caches correctly honor Vary for RSC-related request headers, or by disabling shared caching for affected RSC responses until a patched release is deployed.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Use of Weak Hash vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: postcss
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1 postcss@8.4.31

Overview

postcss is a PostCSS is a tool for transforming styles with JS plugins.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in CSS Stringify Output. An attacker can execute arbitrary JavaScript code in the context of the affected web page by submitting crafted CSS containing </style> sequences that are not properly escaped when embedded within HTML <style> tags.

PoC

const postcss = require('postcss');

// Parse user CSS and re-stringify for page embedding
const userCSS = 'body { content: "</style><script>alert(1)</script><style>"; }';
const ast = postcss.parse(userCSS);
const output = ast.toResult().css;
const html = `<style>${output}</style>`;

console.log(html);
// <style>body { content: "</style><script>alert(1)</script><style>"; }</style>
//
// Browser: </style> closes the style tag, <script> executes

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade postcss to version 8.5.10 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity
new

Cross-site Scripting (XSS)

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the beforeInteractive process, when untrusted input is embedded without proper escaping. An attacker can execute arbitrary JavaScript in a user's browser by injecting malicious content into the serialized script.

Workaround

This vulnerability can be mitigated by not passing untrusted data into beforeInteractive scripts, or by sanitizing or escaping the content before embedding it.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Cross-site Scripting (XSS) vulnerability report

low severity
new

Cross-site Scripting (XSS)

  • Vulnerable module: next
  • Introduced through: next@16.2.1

Detailed paths

  • Introduced through: meds-warning@nicolasomar/meds-warning next@16.2.1
    Remediation: Upgrade to next@16.2.5.

Overview

next is a react framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the CSP nonce headers. An attacker can inject malicious scripts into cached HTML responses by supplying malformed nonce values, which may then be executed in the browsers of subsequent visitors. This is possible when applications are deployed behind shared caches and rely on request-derived nonce values.

Workaround

This vulnerability can be mitigated by stripping inbound Content-Security-Policy request headers from untrusted traffic.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade next to version 15.5.16, 16.2.5 or higher.

References

Cross-site Scripting (XSS) vulnerability report