Vulnerability-Lookup

CVE-2026-44572 (GCVE-0-2026-44572)

Vulnerability from cvelistv5 – Published: 2026-05-13 15:57 – Updated: 2026-05-14 15:33

Title

Next.js: Middleware / Proxy redirects can be cache-poisoned

Summary

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.

Severity ?

3.7 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/vercel/next.js/security/adviso…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
vercel	next.js	Affected: >= 12.2.0, < 15.5.16 Affected: >= 16.0.0, < 16.2.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44572",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T15:32:48.568772Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T15:33:10.541Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "next.js",
          "vendor": "vercel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 12.2.0, \u003c 15.5.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0, \u003c 16.2.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-349",
              "description": "CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T15:57:15.750Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq"
        }
      ],
      "source": {
        "advisory": "GHSA-3g8h-86w9-wvmq",
        "discovery": "UNKNOWN"
      },
      "title": "Next.js: Middleware / Proxy redirects can be cache-poisoned"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44572",
    "datePublished": "2026-05-13T15:57:15.750Z",
    "dateReserved": "2026-05-06T21:49:12.424Z",
    "dateUpdated": "2026-05-14T15:33:10.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44572",
      "date": "2026-05-17",
      "epss": "6e-05",
      "percentile": "0.00396"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44572\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-13T16:16:58.800\",\"lastModified\":\"2026-05-15T15:46:08.980\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-349\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndExcluding\":\"15.5.16\",\"matchCriteriaId\":\"31A12CFA-9A52-4285-B5F3-E5FAD69DF477\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndExcluding\":\"16.2.5\",\"matchCriteriaId\":\"27C5CF7A-7A33-4BE4-B8FD-10BFD813204A\"}]}]}],\"references\":[{\"url\":\"https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Next.js: Middleware / Proxy redirects can be cache-poisoned\", \"source\": {\"advisory\": \"GHSA-3g8h-86w9-wvmq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"vercel\", \"product\": \"next.js\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 12.2.0, \u003c 15.5.16\"}, {\"status\": \"affected\", \"version\": \"\u003e= 16.0.0, \u003c 16.2.5\"}]}], \"references\": [{\"url\": \"https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq\", \"name\": \"https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-349\", \"description\": \"CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-13T15:57:15.750Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44572\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-14T15:32:48.568772Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-05-14T15:33:04.651Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44572\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T15:57:15.750Z\", \"dateReserved\": \"2026-05-06T21:49:12.424Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-13T15:57:15.750Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

WID-SEC-W-2026-1401

Vulnerability from csaf_certbund - Published: 2026-05-06 22:00 - Updated: 2026-05-13 22:00

Summary

Vercel Next.js: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Next.js ist ein Framework für React-basierte Web-Anwendungen.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Vercel Next.js ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Cross-Site-Scripting-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-23870

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44572

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44573

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44574

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44575

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44576

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44577

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44578

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44579

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44580

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44581

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

CVE-2026-44582

Affected products

Known affected 2 products

Product	Identifier	Version	Remediation
Vercel Next.js <16.2.5 Vercel / Next.js		<16.2.5
Vercel Next.js <15.5.16 Vercel / Next.js		<15.5.16

References

14 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external
https://github.com/vercel/next.js/security/adviso…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Next.js ist ein Framework f\u00fcr React-basierte Web-Anwendungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Vercel Next.js ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1401 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1401.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1401 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1401"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-267c-6grr-h53f vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-267c-6grr-h53f"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-36qx-fr4f-26g5 vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-36qx-fr4f-26g5"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-3g8h-86w9-wvmq vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-492v-c6pp-mqqv vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-8h8q-6873-q5fj vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-8h8q-6873-q5fj"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-c4j6-fc7j-m34r vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-c4j6-fc7j-m34r"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-ffhc-5mcf-pf4q vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-ffhc-5mcf-pf4q"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-gx5p-jg67-6x7h vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-gx5p-jg67-6x7h"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-h64f-5h5j-jqjh vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-h64f-5h5j-jqjh"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-mg66-mrh9-m8jx vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-mg66-mrh9-m8jx"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-vfv6-92ff-j949 vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-vfv6-92ff-j949"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-wfc6-r584-vfw7 vom 2026-05-06",
        "url": "https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7"
      }
    ],
    "source_lang": "en-US",
    "title": "Vercel Next.js: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-13T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-14T10:51:12.589+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1401",
      "initial_release_date": "2026-05-06T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-06T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-13T22:00:00.000+00:00",
          "number": "2",
          "summary": "CVE aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c15.5.16",
                "product": {
                  "name": "Vercel Next.js \u003c15.5.16",
                  "product_id": "T053638"
                }
              },
              {
                "category": "product_version",
                "name": "15.5.16",
                "product": {
                  "name": "Vercel Next.js 15.5.16",
                  "product_id": "T053638-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:15.5.16"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.2.5",
                "product": {
                  "name": "Vercel Next.js \u003c16.2.5",
                  "product_id": "T053639"
                }
              },
              {
                "category": "product_version",
                "name": "16.2.5",
                "product": {
                  "name": "Vercel Next.js 16.2.5",
                  "product_id": "T053639-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:vercel:next.js:16.2.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Next.js"
          }
        ],
        "category": "vendor",
        "name": "Vercel"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-23870",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-23870"
    },
    {
      "cve": "CVE-2026-44572",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44572"
    },
    {
      "cve": "CVE-2026-44573",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44573"
    },
    {
      "cve": "CVE-2026-44574",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44574"
    },
    {
      "cve": "CVE-2026-44575",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44575"
    },
    {
      "cve": "CVE-2026-44576",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44576"
    },
    {
      "cve": "CVE-2026-44577",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44577"
    },
    {
      "cve": "CVE-2026-44578",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44578"
    },
    {
      "cve": "CVE-2026-44579",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44579"
    },
    {
      "cve": "CVE-2026-44580",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44580"
    },
    {
      "cve": "CVE-2026-44581",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44581"
    },
    {
      "cve": "CVE-2026-44582",
      "product_status": {
        "known_affected": [
          "T053639",
          "T053638"
        ]
      },
      "release_date": "2026-05-06T22:00:00.000+00:00",
      "title": "CVE-2026-44582"
    }
  ]
}

GHSA-3G8H-86W9-WVMQ

Vulnerability from github – Published: 2026-05-11 16:12 – Updated: 2026-05-14 20:35

Summary

Next.js's Middleware / Proxy redirects can be cache-poisoned

Details

Impact

Next.js uses the x-nextjs-data request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect.

When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients.

If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged.

Affected scenarios

This affects applications that: - use middleware or proxy redirects - are deployed behind a caching CDN or reverse proxy - allow 3xx responses on those paths to be cached without differentiating internal data requests from normal requests

Fix

The fix stops trusting x-nextjs-data by itself for middleware redirect handling. A request is now treated as an internal data request only when it is validated as such by internal routing state, preserving legitimate data-request redirect behavior while preventing external header injection from changing normal redirect responses.

Workarounds

Before upgrading, users can reduce risk by: - configuring the CDN or reverse proxy to vary its cache key on x-nextjs-data for affected responses

Severity ?

3.7 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.2.0"
            },
            {
              "fixed": "15.5.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-349"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:12:07Z",
    "nvd_published_at": "2026-05-13T16:16:58Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nNext.js uses the `x-nextjs-data` request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect.\n\nWhen that happened, the middleware/proxy could treat the request as a data request and replace the standard `Location` redirect header with the internal `x-nextjs-redirect` header. Browsers do not follow `x-nextjs-redirect`, so the response became an unusable redirect for normal clients.\n\nIf the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a `Location` header, causing a denial of service for that redirect path until the cache entry expired or was purged.\n\n### Affected scenarios\n\nThis affects applications that:\n- use middleware or proxy redirects\n- are deployed behind a caching CDN or reverse proxy\n- allow 3xx responses on those paths to be cached without differentiating internal data requests from normal requests\n\n### Fix\n\nThe fix stops trusting `x-nextjs-data` by itself for middleware redirect handling. A request is now treated as an internal data request only when it is validated as such by internal routing state, preserving legitimate data-request redirect behavior while preventing external header injection from changing normal redirect responses.\n\n### Workarounds\n\nBefore upgrading, users can reduce risk by:\n- configuring the CDN or reverse proxy to vary its cache key on `x-nextjs-data` for affected responses",
  "id": "GHSA-3g8h-86w9-wvmq",
  "modified": "2026-05-14T20:35:56Z",
  "published": "2026-05-11T16:12:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44572"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v15.5.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v16.2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js\u0027s Middleware / Proxy redirects can be cache-poisoned"
}

FKIE_CVE-2026-44572

Vulnerability from fkie_nvd - Published: 2026-05-13 16:16 - Updated: 2026-05-15 15:46

Severity ?

3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq	Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	vercel	next.js	*
	vercel	next.js	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "31A12CFA-9A52-4285-B5F3-E5FAD69DF477",
              "versionEndExcluding": "15.5.16",
              "versionStartIncluding": "12.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:vercel:next.js:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "27C5CF7A-7A33-4BE4-B8FD-10BFD813204A",
              "versionEndExcluding": "16.2.5",
              "versionStartIncluding": "16.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5."
    }
  ],
  "id": "CVE-2026-44572",
  "lastModified": "2026-05-15T15:46:08.980",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-05-13T16:16:58.800",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-349"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44572 (GCVE-0-2026-44572)

WID-SEC-W-2026-1401

GHSA-3G8H-86W9-WVMQ

Impact

Affected scenarios

Fix

Workarounds

FKIE_CVE-2026-44572

Tags

Sightings

Nomenclature