nextjs-security-deps-v1Certifiedv1.0.0
Next.js security dependency alerts
Dependency vulnerability alerts for Next.js (advisory; requires confirmation).
Protects against
CVE-2020-28500CVE-2021-23337CVE-2021-3749CVE-2022-0235CVE-2022-23539CVE-2022-23540CVE-2022-23541CVE-2023-45857CVE-2024-34350CVE-2024-34351CVE-2024-39693CVE-2024-46982CVE-2024-47831CVE-2024-51479CVE-2024-56332CVE-2025-13465CVE-2025-27152CVE-2025-29927CVE-2025-49826CVE-2025-55173CVE-2025-55182CVE-2025-55183CVE-2025-55184CVE-2025-57752CVE-2025-57822CVE-2025-59471CVE-2025-59472CVE-2025-62718CVE-2025-67779CVE-2026-23864CVE-2026-23869CVE-2026-23870CVE-2026-25639CVE-2026-27978CVE-2026-27979CVE-2026-27980CVE-2026-29057CVE-2026-2950CVE-2026-40175CVE-2026-42033CVE-2026-42034CVE-2026-42035CVE-2026-42036CVE-2026-42038CVE-2026-42039CVE-2026-42041CVE-2026-42042CVE-2026-42043CVE-2026-44573CVE-2026-44574CVE-2026-44575CVE-2026-44576CVE-2026-44577CVE-2026-44578CVE-2026-44579CVE-2026-44580CVE-2026-44581CVE-2026-45109CVE-2026-4800GHSA-5j59-xgg2-r9c4GHSA-9qr9-h5gf-34mpGHSA-h25m-26qc-wcjfGHSA-mwv6-3258-q52cGHSA-npm-1111391GHSA-npm-1112182GHSA-npm-1112653GHSA-w37m-7fhw-fmv9
Rule body
# Next.js security dependency alerts Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files. Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades. ### CVE-2025-29927 — Authorization Bypass in Next.js Middleware Context: Middleware authorization checks can be bypassed through request path manipulation or internal routing. Source: https://github.com/advisories/GHSA-f82v-jwr5-mffw WHEN you detect `next` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2025-29927: next may be vulnerable. Middleware authorization checks can be bypassed through request path manipulation or internal routing. Patched versions: next >=14.2.25 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls next` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2022-0235 — node-fetch forwards secure headers to untrusted sites Context: Redirect handling can forward Authorization and cookie headers to untrusted origins. Source: https://github.com/advisories/GHSA-r683-j2x4-v87g WHEN you detect `node-fetch` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2022-0235: node-fetch may be vulnerable. Redirect handling can forward Authorization and cookie headers to untrusted origins. Patched versions: node-fetch >=2.6.7 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls node-fetch` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2024-34351 — Next.js Server-Side Request Forgery in Server Actions Context: Server Actions with modified Host headers can bypass origin validation and make requests appearing to originate from the application server itself. Source: https://github.com/advisories/GHSA-fr5h-rqp8-mj6g WHEN you detect `next` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-34351: next may be vulnerable. Server Actions with modified Host headers can bypass origin validation and make requests appearing to originate from the application server itself. Patched versions: next >=14.1.1 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls next` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2022-23539 — jsonwebtoken unrestricted key type could lead to legacy keys usage Context: Mismatched key types and algorithms in JWT verification can allow legacy insecure keys like DSA to validate signatures they shouldn't. Source: https://github.com/advisories/GHSA-8cf7-32gw-wr33 WHEN you detect `jsonwebtoken` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2022-23539: jsonwebtoken may be vulnerable. Mismatched key types and algorithms in JWT verification can allow legacy insecure keys like DSA to validate signatures they shouldn't. Patched versions: jsonwebtoken >=9.0.0 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls jsonwebtoken` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2024-46982 — Next.js Cache Poisoning Context: Crafted HTTP requests can poison non-dynamic page router caches, forcing unintended CDN caching with public headers. Source: https://github.com/advisories/GHSA-gp8f-8m3g-qvj9 WHEN you detect `next` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-46982: next may be vulnerable. Crafted HTTP requests can poison non-dynamic page router caches, forcing unintended CDN caching with public headers. Patched versions: next >=14.2.10 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls next` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2021-3749 — axios Inefficient Regular Expression Complexity vulnerability Context: Malicious response headers with many colons can cause excessive backtracking in header parsing regex. Source: https://github.com/advisories/GHSA-cph5-m8f7-6c5x WHEN you detect `axios` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2021-3749: axios may be vulnerable. Malicious response headers with many colons can cause excessive backtracking in header parsing regex. Patched versions: axios >=0.21.2 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls axios` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2021-23337 — Command Injection in lodash Context: Template functions can execute arbitrary code when processing untrusted input strings. Source: https://github.com/advisories/GHSA-35jh-r3h4-6jhm WHEN you detect `lodash` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2021-23337: lodash may be vulnerable. Template functions can execute arbitrary code when processing untrusted input strings. Patched versions: lodash >=4.17.21 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls lodash` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2024-51479 — Next.js authorization bypass vulnerability Context: Pathname-based authorization checks in middleware can be bypassed through request manipulation. Source: https://github.com/advisories/GHSA-7gfc-8cq8-jh5f WHEN you detect `next` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-51479: next may be vulnerable. Pathname-based authorization checks in middleware can be bypassed through request manipulation. Patched versions: next >=14.2.15 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls next` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2025-27152 — axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL Context: Absolute URLs in axios requests bypass baseURL and route requests to attacker-controlled origins, leaking credentials. Source: https://github.com/advisories/GHSA-jr5f-v2jv-69x6 WHEN you detect `axios` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2025-27152: axios may be vulnerable. Absolute URLs in axios requests bypass baseURL and route requests to attacker-controlled origins, leaking credentials. Patched versions: axios >=0.30.0 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls axios` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2026-25639 — Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig Context: Malicious config objects with __proto__ properties can crash mergeConfig and cause denial of service. Source: https://github.com/advisories/GHSA-43fc-jf86-j433 WHEN you detect `axios` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2026-25639: axios may be vulnerable. Malicious config objects with __proto__ properties can crash mergeConfig and cause denial of service. Patched versions: axios >=0.30.3 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls axios` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2026-4800 — lodash vulnerable to Code Injection via `_.template` imports key names Context: Template imports with untrusted key names can execute arbitrary code via Function constructor injection during compilation. Source: https://github.com/advisories/GHSA-r5fr-rjxr-66jc WHEN you detect `lodash` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2026-4800: lodash may be vulnerable. Template imports with untrusted key names can execute arbitrary code via Function constructor injection during compilation. Patched versions: lodash >=4.18.0 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls lodash` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2026-42043 — Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 Context: Proxy bypass via RFC 1122 loopback subnets can route sensitive requests through untrusted intermediaries despite NO_PROXY rules. Source: https://github.com/advisories/GHSA-pmwg-cvhr-8vh7 WHEN you detect `axios` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2026-42043: axios may be vulnerable. Proxy bypass via RFC 1122 loopback subnets can route sensitive requests through untrusted intermediaries despite NO_PROXY rules. Patched versions: axios >=0.31.1 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls axios` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2026-42033 — Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking Context: Prototype pollution from co-dependencies can enable silent response tampering and request hijacking if axios properties lack hasOwnProperty guards. Source: https://github.com/advisories/GHSA-pf86-5x62-jrwf WHEN you detect `axios` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2026-42033: axios may be vulnerable. Prototype pollution from co-dependencies can enable silent response tampering and request hijacking if axios properties lack hasOwnProperty guards. Patched versions: axios >=0.31.1 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls axios` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2026-42035 — Axios: Header Injection via Prototype Pollution Context: Prototype pollution can trick Axios into calling attacker-controlled getHeaders methods that inject arbitrary HTTP headers into outgoing requests. Source: https://github.com/advisories/GHSA-6chq-wfr3-2hj9 WHEN you detect `axios` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2026-42035: axios may be vulnerable. Prototype pollution can trick Axios into calling attacker-controlled getHeaders methods that inject arbitrary HTTP headers into outgoing requests. Patched versions: axios >=0.31.1 CHECK for dependency conflicts before proposing any upgrade: Run: `npm ls axios` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade ---