Vercel Next.js 13.5.9 for Node.js
Approved changes feed: RSS · Atom
cpe:2.3:a:vercel:next.js:13.5.9:*:*:*:*:node.js:*:*
part: a version: 13.5.9 update: *
| Vendor | Vercel (5676cb1a-0d7f-5c57-9405-b569f0c482e7) |
|---|---|
| Product | Next.Js (291cbef7-fa11-595c-86e3-5c00f9c5cf94) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | node.js |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/vercel/next.js |
purl2cpe | 2026-06-01 10:11:38.621710 |
pkg:sourceforge/next-js.mirror |
purl2cpe | 2026-06-01 10:11:38.621712 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-30218 |
vulnerable | 2026-06-08 07:16:59.308437 |
Next.js may leak x-middleware-subrequest-id to external hosts
Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15.2.4.
Published: 2025-04-02T21:23:14.660Z
Updated: 2025-10-13T15:37:02.310Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.