Componentpedia / Listings / next / 9.1.2

Last update: 06/09/2025

next

The React Framework

Version: 9.1.2 registry icon
Safety score
5
Check your open source dependency risks. Get immediate insight about security, stability and licensing risks.
De-risk your app now
Security Risks of Known Vulnerabilities
CVE-2025-32421
CWE-362
Threat level: LOW | CVSS score: 2

Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the x-now-route-matches header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on 200 OK status without explicit cache-control headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the x-now-route-matches header from all incoming requests at the content development network and setting cache-control: no-store for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.


CVE-2025-57822
CWE-918
Threat level: MEDIUM | CVSS score: 5

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.


CVE-2021-43803
CWE-20
Threat level: HIGH | CVSS score: 8

Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In order to be affected by this issue, the deployment must use Next.js versions above 11.1.0 and below 12.0.5, Node.js above 15.0.0, and next start or a custom server. Deployments on Vercel are not affected, along with similar environments where invalid requests are filtered before reaching Next.js. Versions 12.0.5 and 11.1.3 contain patches for this issue. Note that prior version 0.9.9 package next hosted a different utility (0.4.1 being the latest version of that codebase), and this advisory does not apply to those versions.


CVE-2021-37699
CWE-601
Threat level: MEDIUM | CVSS score: 5

Next.js is an open source website development framework to be used with the React library. In affected versions specially encoded paths could be used when pages/_error.js was statically generated, allowing an open redirect to occur to an external site. In general, this redirect does not directly harm users although it can allow for phishing attacks by redirecting to an attacker's domain from a trusted domain.


CVE-2025-57752
CWE-524
Threat level: MEDIUM | CVSS score: 5

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.


CVE-2025-55173
CWE-20
Threat level: MEDIUM | CVSS score: 5

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.


Please note that this component is affected by 2 other vulnerabilities
0 Critical  |  1 High  |  1 Medium  |  0 Low  |  0 Suggest

Latest safe major: 15.5.2 Scan your application codebase with Meterian to see all known vulnerabilities in your open source software dependencies.


Stability

Stay updated with the latest patches and releases. Plan your sofware desisgn. Avoid common known vulnerabilities fixed by the open source community

Latest patch release:   9.1.7

Latest minor release:   9.5.5

Latest major release:   15.5.2

Licensing

Maintain your licence declarations and avoid unwanted licences to protect your IP the way you intended.

MIT   -   MIT License

Not a wildcard

Not proprietary

OSI Compliant