Known vulnerabilities in vercel Next.js

Vendor: vercel

Website: https://github.com/vercel

Total Security Bulletins: 35

Security bulletins (35)

Secuity bulletin	Severity	Status	Published
SB2026012703: Next.js update for React Server Components	Medium	Patched	27.01.2026
SB2026012662: Two DoS vulnerabilities in Next.js	Medium	Patched	26.01.2026
SB2025121222: Denial of service in Next.js React Server Components	Medium	Patched	12.12.2025
SB2025121221: Source code exposure in Next.js App Router	Medium	Patched Public exploit	12.12.2025
SB2025121220: Denial of service in Next.js App Router	Medium	Patched Public exploit	12.12.2025
SB2025120334: Remote code execution via React Server Components in Next.js	Critical	Patched Exploited	03.12.2025
SB2025083005: Use of cache containing sensitive information in Next.js	Medium	Patched	30.08.2025
SB2025083004: External image manipulation in Next.js	Low	Patched	30.08.2025
SB2025083002: SSRF in Next.js	Medium	Patched	30.08.2025
SB2025070419: Denial of service via cache poisoning in Next.js	Medium	Patched	04.07.2025
SB2025070417: Cache poisoning attack in Next.js	Medium	Patched	04.07.2025
SB2025052970: Missing WebSocket origin validation in Next.js	Low	Patched	29.05.2025
SB2025051603: Cache poisoning in Next.js	Low	Patched Public exploit	16.05.2025
SB2025040314: Information disclosure in Next.js	Low	Patched	03.04.2025
SB2025032132: Authorization bypass in Next.js	High	Patched Public exploit	21.03.2025
SB2025032022: Resource exhaustion in Next.js	High	Patched	20.03.2025
SB2025012133: Authorization bypass in Next.js	Medium	Patched	21.01.2025
SB2025012132: Denial of service in Next.js	Medium	Patched	21.01.2025
SB2024101466: Denial of service in Next.js image optimization	Medium	Patched	14.10.2024
SB2024091832: Cache poisoning in Next.js	Medium	Patched Public exploit	18.09.2024
SB2024071113: Denial of service in Next.js	Medium	Patched	11.07.2024
SB2024051026: Server-side request forgery in Next.js Server Actions	Medium	Patched Public exploit	10.05.2024
SB2024051025: HTTP request smuggling in Next.js	Medium	Patched	10.05.2024
SB2022082450: Denial of service in Next.js	Low	Patched	24.08.2022
SB2022021744: Spoofing attack in Next.js	Medium	Patched	17.02.2022
SB2022012821: Denial of service in Next.js	Medium	Patched	28.01.2022
SB2021120643: Denial of service in Next.js	Medium	Patched	06.12.2021
SB2021090111: Cross-site scripting in Next.js	Low	Patched	01.09.2021
SB2021081127: Open redirect in Next.js	Low	Patched	11.08.2021
SB2020100904: Open redirect in Next.js	Low	Patched	09.10.2020
SB2020033113: Path traversal in Next.js	Medium	Patched	31.03.2020
SB2018101403: Cross-site scripting in Next.js	Low	Patched	14.10.2018
SB2018012426: Path traversal in Zeit Next.js	Medium	Patched	24.01.2018
SB2017111707: Path traversal in Zeit Next.js	Medium	Patched	17.11.2017
SB2017060209: Directory traversal in Next.js 2.0	Medium	Patched	02.06.2017