next-14.2.21.tgz: 2 vulnerabilities (highest severity is: 9.1) #419
Description
Vulnerable Library - next-14.2.21.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-14.2.21.tgz
Path to dependency file: /playground/package.json
Path to vulnerable library: /playground/package.json
Found in HEAD commit: 2c2e4a13b710ceb8f65cd32664895e4278834389
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (next version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-29927 |  Critical |
9.1 | next-14.2.21.tgz | Direct | 14.2.25 | ❌ |
| CVE-2025-48068 |  Medium |
4.7 | next-14.2.21.tgz | Direct | 14.2.30 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-29927
Vulnerable Library - next-14.2.21.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-14.2.21.tgz
Path to dependency file: /playground/package.json
Path to vulnerable library: /playground/package.json
Dependency Hierarchy:
- ❌ next-14.2.21.tgz (Vulnerable Library)
Found in HEAD commit: 2c2e4a13b710ceb8f65cd32664895e4278834389
Found in base branch: develop
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.
Publish Date: 2025-03-21
URL: CVE-2025-29927
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-f82v-jwr5-mffw
Release Date: 2025-03-21
Fix Resolution: 14.2.25
Step up your Open Source Security Game with Mend here
CVE-2025-48068
Vulnerable Library - next-14.2.21.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-14.2.21.tgz
Path to dependency file: /playground/package.json
Path to vulnerable library: /playground/package.json
Dependency Hierarchy:
- ❌ next-14.2.21.tgz (Vulnerable Library)
Found in HEAD commit: 2c2e4a13b710ceb8f65cd32664895e4278834389
Found in base branch: develop
Vulnerability Details
Summary This vulnerability is similar to CVE-2018-14732. When running a Next.js server locally (e.g. through "npm run dev"), the WebSocket server is vulnerable to the Cross-site WebSocket hijacking (CSWSH) attack. and a bad actor can access the source code of client components, if a user was to visit a malicious link while having the Next.js dev server running. Impact If a user is running a Next.js server locally (e.g. "npm run dev"), and they were to browse to a malicious website, the malicious website may be able to access the source code of the Next.js app. This vulnerability only affects applications making use of App Router. Note: App Router was experimental requiring "experimental.appDir = true" in versions ">=13.0.0" to "<13.4".
Publish Date: 2025-05-30
URL: CVE-2025-48068
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-05-30
Fix Resolution: 14.2.30
Step up your Open Source Security Game with Mend here