Next.js — CVE history (npm)

Next.js

51 CVEs affect the Next.js npm package (highest CVSS 10.0). 1 on CISA's Known Exploited Vulnerabilities catalog. Latest disclosed: 2026-05-13. Full CVE history sourced from NVD.

Summary

Package
Next.js (npm)
Total CVEs
51
Actively exploited (CISA KEV)
1
Highest CVSS
10.0
Latest disclosed
2026-05-13

Recent CVEs (top 20)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45109High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44582Low3.72026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44581Medium4.72026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44580Medium6.12026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44579High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44578High8.62026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44577Medium5.92026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44576Medium5.42026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44575High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44574High8.12026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44573High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44572Low3.72026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-29057Medium6.52026-03-18Next.js is a React framework for building full-stack web applications.
CVE-2026-27980High7.52026-03-18Next.js is a React framework for building full-stack web applications.
CVE-2026-27979High7.52026-03-18Next.js is a React framework for building full-stack web applications.
CVE-2026-27978Medium4.32026-03-18Next.js is a React framework for building full-stack web applications.
CVE-2026-27977Medium5.42026-03-18Next.js is a React framework for building full-stack web applications.
CVE-2025-59472Medium5.92026-01-26A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode.
CVE-2025-59471Medium5.92026-01-26A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer.
CVE-2025-67779High7.52025-12-12It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case.

All-time worst (top 10 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55182Critical10.0KEV2025-12-03A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-…
CVE-2025-29927Critical9.12025-03-21Next.js is a React framework for building full-stack web applications.
CVE-2026-44578High8.62026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44574High8.12026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-45109High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44579High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44575High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44573High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-27980High7.52026-03-18Next.js is a React framework for building full-stack web applications.
CVE-2026-27979High7.52026-03-18Next.js is a React framework for building full-stack web applications.

Actively exploited (CISA KEV — 1)

CVESeverityCVSSKEVPublishedSummary
CVE-2025-55182Critical10.0KEV2025-12-03A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-…