CVE-2025-30218

Low CVSS: 1.7

Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15.2.4.

Vendor

Vercel

Product

Next.js

CWE

CWE-200

Yayın Tarihi

2025-04-02 22:15:19

Güncelleme

2025-09-10 15:14:08

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-200 Next.js LOW Vercel 2025

Referanslar

https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O

Benzer Kayıtlar

Medium

CVE-2026-29057

Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 1…

Medium

CVE-2026-27979

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1…

Medium

CVE-2026-27980

Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 1…

Medium

CVE-2026-27978

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1…

Low

CVE-2026-27977

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 1…

Medium

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in min…