Security

Report a vulnerability

SECURITY.md

Reporting Security Issues

If you believe you have found a security vulnerability, we encourage you to let us know right away.

We will investigate all legitimate reports and do our best to quickly fix the problem.

Please report any vulnerabilities in our open source repositories to responsible.disclosure@vercel.com.

Server-Side Request Forgery in Server Actions
GHSA-fr5h-rqp8-mj6g published May 9, 2024 by jackwilson323

High
Unexpected server crash in Next.js version 12.2.3
GHSA-wff4-fpwg-qqv3 published Aug 24, 2022 by ijjk

Moderate
Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.0.10
GHSA-fmvm-x8mv-47mj published Feb 17, 2022 by styfle

Moderate
DOS Vulnerability for self-hosted next.js apps using i18n
GHSA-wr66-vrwm-5g5x published Jan 28, 2022 by jescalan

Moderate
Unexpected server crash in Next.js versions above 11.1.0 and below 12.0.5
GHSA-25mp-g6fv-mqxx published Dec 6, 2021 by timneutkens

High
XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0
GHSA-9gr3-7897-pp7m published Aug 30, 2021 by styfle

Moderate
Open Redirect in Next.js versions below 11.1.0
GHSA-vxf5-wxwp-m7g9 published Aug 11, 2021 by timneutkens

Moderate
Open Redirect in Next.js versions between 9.5.0 and 9.5.3
GHSA-x56p-c8cg-q435 published Oct 8, 2020 by timneutkens

Moderate
Directory Traversal in Next.js versions below 9.3.2
GHSA-fq77-7p7r-83rj published Mar 30, 2020 by timneutkens

Moderate

Learn more about advisories related to vercel/next.js in the GitHub Advisory Database