Next.js is a widely used npm package. As of 2026-05-24, there are 55 known vulnerabilities in the OSV database. The latest stable version is 16.2.6. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (55)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| GHSA-9qr9-h5gf-34mp | CRITICAL | 9.5 | 14.3.0-canary.77 to 15.0.5; 15.1.0-canary.0 to 15.1.9; 15.2.0-canary.0 to 15.2.6; 15.3.0-canary.0 to 15.3.6; 15.4.0-canary.0 to 15.4.8; 15.5.0-canary.0 to 15.5.7; 16.0.0-canary.0 to 16.0.7 | 15.0.5 | Next.js is vulnerable to RCE in React flight protocol |
| CVE-2025-29927 | CRITICAL | 9.5 | 13.0.0 to 13.5.9; 14.0.0 to 14.2.25; 15.0.0 to 15.2.3; 12.0.0 to 12.3.5 | 13.5.9 | Authorization Bypass in Next.js Middleware |
| CVE-2021-43803 | HIGH | 7.5 | 12.0.0 to 12.0.5; 0.9.9 to 11.1.3 | 12.0.5 | Unexpected server crash in Next.js. |
| CVE-2026-44575 | HIGH | 7.5 | 15.2.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes |
| CVE-2026-45109 | HIGH | 7.5 | 15.2.0 to 15.5.18; 16.0.0 to 16.2.6 | 15.5.18 | Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up |
| CVE-2026-44573 | HIGH | 7.5 | 12.2.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n |
| CVE-2017-16877 | HIGH | 7.5 | 1.0.0 to 2.4.1 | 2.4.1 | Next.js Directory Traversal Vulnerability |
| CVE-2026-44574 | HIGH | 7.5 | 15.4.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js has a Middleware / Proxy bypass through dynamic route parameter injection |
| GHSA-5j59-xgg2-r9c4 | HIGH | 7.5 | 13.3.1-canary.0 to 14.2.35; 15.0.6 to 15.0.7; 15.1.10 to 15.1.11; 15.2.7 to 15.2.8; 15.3.7 to 15.3.8; 15.4.9 to 15.4.10; 15.5.8 to 15.5.9; 15.6.0-canary.59 to 15.6.0-canary.60; 16.0.9 to 16.0.10; 16.1.0-canary.17 to 16.1.0-canary.19 | 14.2.35 | Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up |
| GHSA-5vj8-3v2h-h38v | HIGH | 7.5 | 0.9.9 to 5.1.0 | 5.1.0 | Remote Code Execution in next |
| CVE-2025-49826 | HIGH | 7.5 | 15.0.4-canary.51 to 15.1.8 | 15.1.8 | Next.JS vulnerability can lead to DoS via cache poisoning |
| CVE-2024-34350 | HIGH | 7.5 | 13.4.0 to 13.5.1 | 13.5.1 | Next.js Vulnerable to HTTP Request Smuggling |
| CVE-2024-51479 | HIGH | 7.5 | 9.5.5 to 14.2.15 | 14.2.15 | Next.js authorization bypass vulnerability |
| GHSA-8h8q-6873-q5fj | HIGH | 7.5 | 13.0.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js Vulnerable to Denial of Service with Server Components |
| CVE-2021-39178 | HIGH | 7.5 | 10.0.0 to 11.1.1 | 11.1.1 | XSS in Image Optimization API for Next.js |
| CVE-2026-44578 | HIGH | 7.5 | 13.4.13 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades |
| CVE-2024-39693 | HIGH | 7.5 | 13.3.1 to 13.5.0 | 13.5.0 | Next.js Denial of Service (DoS) condition |
| CVE-2024-34351 | HIGH | 7.5 | 13.4.0 to 14.1.1 | 14.1.1 | Next.js Server-Side Request Forgery in Server Actions |
| CVE-2024-46982 | HIGH | 7.5 | 13.5.1 to 13.5.7; 14.0.0 to 14.2.10 | 13.5.7 | Next.js Cache Poisoning |
| GHSA-h25m-26qc-wcjf | HIGH | 7.5 | 13.0.0 to 15.0.8; 15.1.1-canary.0 to 15.1.12; 15.2.0-canary.0 to 15.2.9; 15.3.0-canary.0 to 15.3.9; 15.4.0-canary.0 to 15.4.11; 15.5.1-canary.0 to 15.5.10; 15.6.0-canary.0 to 15.6.0-canary.61; 16.0.0-beta.0 to 16.0.11; 16.1.0-canary.0 to 16.1.5 | 15.0.8 | Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components |
| CVE-2018-6184 | HIGH | 7.5 | 1.0.0 to 4.2.3 | 4.2.3 | Directory traversal vulnerability in Next.js |
| CVE-2026-44579 | HIGH | 7.5 | 15.0.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components |
| GHSA-mwv6-3258-q52c | HIGH | 7.5 | 13.3.0 to 14.2.34; 15.0.0-canary.0 to 15.0.6; 15.1.1-canary.0 to 15.1.10; 15.2.0-canary.0 to 15.2.7; 15.3.0-canary.0 to 15.3.7; 15.4.0-canary.0 to 15.4.9; 15.5.1-canary.0 to 15.5.8; 15.6.0-canary.0 to 15.6.0-canary.59; 16.0.0-beta.0 to 16.0.9; 16.1.0-canary.0 to 16.1.0-canary.17 | 14.2.34 | Next Vulnerable to Denial of Service with Server Components |
| GHSA-q4gf-8mx6-v5v3 | HIGH | 7.5 | 13.0.0 to 15.5.15; 16.0.0-beta.0 to 16.2.3 | 15.5.15 | Next.js has a Denial of Service with Server Components |
| CVE-2026-27980 | MODERATE | 5.0 | 16.0.0-beta.0 to 16.1.7; 10.0.0 to 15.5.14 | 16.1.7 | Next.js: Unbounded next/image disk cache growth can exhaust storage |
| CVE-2025-57822 | MODERATE | 5.0 | 0.9.9 to 14.2.32; 15.0.0-canary.0 to 15.4.7 | 14.2.32 | Next.js Improper Middleware Redirect Handling Leads to SSRF |
| CVE-2025-59472 | MODERATE | 5.0 | 16.0.0-beta.0 to 16.1.5; >= 15.0.0-canary.0; >= 15.0.1-canary.0; >= 15.0.2-canary.0; >= 15.0.3-canary.0; >= 15.0.4-canary.0; >= 15.1.1-canary.0; >= 15.2.0-canary.0; >= 15.2.1-canary.0; >= 15.2.2-canary.0; >= 15.3.0-canary.0; >= 15.3.1-canary.0; >= 15.4.0-canary.0; >= 15.4.2-canary.0; >= 15.5.1-canary.0; 15.6.0-canary.0 to 15.6.0-canary.61 | 16.1.5 | Next.js has Unbounded Memory Consumption via PPR Resume Endpoint |
| CVE-2024-56332 | MODERATE | 5.0 | 13.0.0 to 13.5.8; 14.0.0 to 14.2.21; 15.0.0 to 15.1.2 | 13.5.8 | Next.js Allows a Denial of Service (DoS) with Server Actions |
| CVE-2025-59471 | MODERATE | 5.0 | 10.0.0 to 15.5.10; 15.6.0-canary.0 to 16.1.5 | 15.5.10 | Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration |
| CVE-2026-44581 | MODERATE | 5.0 | 13.4.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces |
| CVE-2022-23646 | MODERATE | 5.0 | 10.0.0 to 12.1.0 | 12.1.0 | Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0 |
| CVE-2020-5284 | MODERATE | 5.0 | 0.9.9 to 9.3.2 | 9.3.2 | Directory Traversal in Next.js |
| CVE-2025-57752 | MODERATE | 5.0 | 0.9.9 to 14.2.31; 15.0.0 to 15.4.5 | 14.2.31 | Next.js Affected by Cache Key Confusion for Image Optimization API Routes |
| CVE-2024-47831 | MODERATE | 5.0 | 10.0.0 to 14.2.7 | 14.2.7 | Denial of Service condition in Next.js image optimization |
| CVE-2026-29057 | MODERATE | 5.0 | 16.0.0-beta.0 to 16.1.7; 9.5.0 to 15.5.13 | 16.1.7 | Next.js: HTTP request smuggling in rewrites |
| CVE-2026-44580 | MODERATE | 5.0 | 13.0.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js has cross-site scripting in beforeInteractive scripts with untrusted input |
| CVE-2026-27979 | MODERATE | 5.0 | 16.0.1 to 16.1.7 | 16.1.7 | Next.js: Unbounded postponed resume buffering can lead to DoS |
| CVE-2026-44577 | MODERATE | 5.0 | 10.0.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js has a Denial of Service in the Image Optimization API |
| CVE-2026-27978 | MODERATE | 5.0 | 16.0.1 to 16.1.7 | 16.1.7 | Next.js: null origin can bypass Server Actions CSRF checks |
| CVE-2018-18282 | MODERATE | 5.0 | 7.0.0 to 7.0.2 | 7.0.2 | Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page |
| CVE-2021-37699 | MODERATE | 5.0 | 0.9.9 to 11.1.0 | 11.1.0 | Open Redirect in Next.js |
| GHSA-w37m-7fhw-fmv9 | MODERATE | 5.0 | 15.0.0-canary.0 to 15.0.6; 15.1.1-canary.0 to 15.1.10; 15.2.0-canary.0 to 15.2.7; 15.3.0-canary.0 to 15.3.7; 15.4.0-canary.0 to 15.4.9; 15.5.1-canary.0 to 15.5.8; 15.6.0-canary.0 to 15.6.0-canary.59; 16.0.0-beta.0 to 16.0.9; 16.1.0-canary.0 to 16.1.0-canary.17 | 15.0.6 | Next Server Actions Source Code Exposure |
| CVE-2026-44576 | MODERATE | 5.0 | 14.2.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js vulnerable to cache poisoning in React Server Component responses |
| CVE-2022-36046 | MODERATE | 5.0 | 12.2.3 to 12.2.4 | 12.2.4 | Unexpected server crash in Next.js |
| CVE-2022-21721 | MODERATE | 5.0 | 12.0.0 to 12.0.9 | 12.0.9 | Denial of Service Vulnerability in next.js |
| CVE-2020-15242 | MODERATE | 5.0 | 9.5.0 to 9.5.4 | 9.5.4 | Open Redirect in Next.js versions |
| CVE-2025-55173 | MODERATE | 5.0 | 0.9.9 to 14.2.31; 15.0.0 to 15.4.5 | 14.2.31 | Next.js Content Injection Vulnerability for Image Optimization |
| CVE-2025-30218 | LOW | 2.5 | 12.3.5 to 12.3.6; 13.5.9 to 13.5.10; 14.2.25 to 14.2.26; 15.2.3 to 15.2.4 | 12.3.6 | Next.js may leak x-middleware-subrequest-id to external hosts |
| CVE-2026-44572 | LOW | 2.5 | 12.2.0 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js's Middleware / Proxy redirects can be cache-poisoned |
| CVE-2025-48068 | LOW | 2.5 | 15.0.0 to 15.2.2; 13.0 to 14.2.30 | 15.2.2 | Information exposure in Next.js dev server due to lack of origin verification |
| CVE-2023-46298 | LOW | 2.5 | 0.9.9 to 13.4.20-canary.13 | 13.4.20-canary.13 | Next.js missing cache-control header may lead to CDN caching empty reply |
| CVE-2026-27977 | LOW | 2.5 | 16.0.1 to 16.1.7 | 16.1.7 | Next.js: null origin can bypass dev HMR websocket CSRF checks |
| CVE-2025-32421 | LOW | 2.5 | 0.9.9 to 14.2.24; 15.0.0 to 15.1.6 | 14.2.24 | Next.js Race Condition to Cache Poisoning |
| CVE-2025-49005 | LOW | 2.5 | 15.3.0 to 15.3.3 | 15.3.3 | Next.js has a Cache poisoning vulnerability due to omission of the Vary header |
| CVE-2026-44582 | LOW | 2.5 | 13.4.6 to 15.5.16; 16.0.0 to 16.2.5 | 15.5.16 | Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting |
Security Recommendations
- Pin Next.js to the latest stable version (16.2.6) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
npm audit - Review your lock file (.package-lock.json) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is Next.js safe to use?
Next.js is actively maintained and widely used. As of 2026-05-24, there are 55 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does Next.js have?
The OSV database currently lists 55 vulnerabilities for Next.js. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update Next.js to fix vulnerabilities?
Run npm update next or npm install next@latest to get the newest version. Use npm audit to identify vulnerable dependencies in your project. Enable automated updates with Dependabot or Renovate to stay current.
Using AI-Generated Code with Next.js?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses Next.js, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit