{ "auditReportVersion": 2, "vulnerabilities": { "@next/eslint-plugin-next": { "name": "@next/eslint-plugin-next", "severity": "high", "isDirect": false, "via": [ "glob" ], "effects": [ "eslint-config-next" ], "range": "14.0.5-canary.0 - 15.0.0-rc.1", "nodes": [ "node_modules/@next/eslint-plugin-next" ], "fixAvailable": true }, "ajv": { "name": "ajv", "severity": "moderate", "isDirect": false, "via": [ { "source": 1113714, "name": "ajv", "dependency": "ajv", "title": "ajv has ReDoS when using `$data` option", "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", "severity": "moderate", "cwe": [ "CWE-400", "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<6.14.0" } ], "effects": [], "range": "<6.14.0", "nodes": [ "node_modules/ajv" ], "fixAvailable": true }, "axios": { "name": "axios", "severity": "high", "isDirect": true, "via": [ { "source": 1113275, "name": "axios", "dependency": "axios", "title": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig", "url": "https://github.com/advisories/GHSA-43fc-jf86-j433", "severity": "high", "cwe": [ "CWE-754" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=1.0.0 <=1.13.4" }, { "source": 1116673, "name": "axios", "dependency": "axios", "title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF", "url": "https://github.com/advisories/GHSA-3p68-rc4w-qgx5", "severity": "moderate", "cwe": [ "CWE-441", "CWE-918" ], "cvss": { "score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": ">=1.0.0 <1.15.0" }, { "source": 1116675, "name": "axios", "dependency": "axios", "title": "Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain", "url": "https://github.com/advisories/GHSA-fvcv-3m26-pcqx", "severity": "moderate", "cwe": [ "CWE-113", "CWE-444", "CWE-918" ], "cvss": { "score": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, "range": ">=1.0.0 <1.15.0" } ], "effects": [], "range": "1.0.0 - 1.14.0", "nodes": [ "node_modules/axios" ], "fixAvailable": true }, "brace-expansion": { "name": "brace-expansion", "severity": "moderate", "isDirect": false, "via": [ { "source": 1115540, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": "<1.1.13" }, { "source": 1115541, "name": "brace-expansion", "dependency": "brace-expansion", "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, "range": ">=2.0.0 <2.0.3" } ], "effects": [], "range": "<1.1.13 || >=2.0.0 <2.0.3", "nodes": [ "node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion", "node_modules/brace-expansion", "node_modules/glob/node_modules/brace-expansion" ], "fixAvailable": true }, "dompurify": { "name": "dompurify", "severity": "moderate", "isDirect": false, "via": [ { "source": 1115529, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify is vulnerable to mutation-XSS via Re-Contextualization ", "url": "https://github.com/advisories/GHSA-h8r8-wccr-v5f2", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.3.2" }, { "source": 1115668, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify contains a Cross-site Scripting vulnerability", "url": "https://github.com/advisories/GHSA-v2wj-7wpq-c8vv", "severity": "moderate", "cwe": [ "CWE-79" ], "cvss": { "score": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, "range": ">=3.1.3 <=3.3.1" }, { "source": 1115921, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify ADD_ATTR predicate skips URI validation", "url": "https://github.com/advisories/GHSA-cjmm-f4jc-qw8r", "severity": "moderate", "cwe": [ "CWE-183" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=3.3.1" }, { "source": 1115922, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify USE_PROFILES prototype pollution allows event handlers", "url": "https://github.com/advisories/GHSA-cj63-jhhr-wcxv", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=3.3.1" }, { "source": 1116663, "name": "dompurify", "dependency": "dompurify", "title": "DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation", "url": "https://github.com/advisories/GHSA-39q2-94rc-95cp", "severity": "moderate", "cwe": [ "CWE-783" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=3.3.3" } ], "effects": [ "monaco-editor" ], "range": "<=3.3.3", "nodes": [ "node_modules/dompurify" ], "fixAvailable": true }, "eslint-config-next": { "name": "eslint-config-next", "severity": "high", "isDirect": true, "via": [ "@next/eslint-plugin-next" ], "effects": [], "range": "14.0.5-canary.0 - 15.0.0-rc.1", "nodes": [ "node_modules/eslint-config-next" ], "fixAvailable": true }, "flatted": { "name": "flatted", "severity": "high", "isDirect": false, "via": [ { "source": 1114526, "name": "flatted", "dependency": "flatted", "title": "flatted vulnerable to unbounded recursion DoS in parse() revive phase", "url": "https://github.com/advisories/GHSA-25h7-pfq9-p65f", "severity": "high", "cwe": [ "CWE-674" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.4.0" }, { "source": 1115357, "name": "flatted", "dependency": "flatted", "title": "Prototype Pollution via parse() in NodeJS flatted", "url": "https://github.com/advisories/GHSA-rf6f-7fwh-wjgh", "severity": "high", "cwe": [ "CWE-1321" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=3.4.1" } ], "effects": [], "range": "<=3.4.1", "nodes": [ "node_modules/flatted" ], "fixAvailable": true }, "follow-redirects": { "name": "follow-redirects", "severity": "moderate", "isDirect": false, "via": [ { "source": 1116560, "name": "follow-redirects", "dependency": "follow-redirects", "title": "follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets", "url": "https://github.com/advisories/GHSA-r4q5-vmmm-2653", "severity": "moderate", "cwe": [ "CWE-200" ], "cvss": { "score": 0, "vectorString": null }, "range": "<=1.15.11" } ], "effects": [], "range": "<=1.15.11", "nodes": [ "node_modules/follow-redirects" ], "fixAvailable": true }, "glob": { "name": "glob", "severity": "high", "isDirect": false, "via": [ { "source": 1109842, "name": "glob", "dependency": "glob", "title": "glob CLI: Command injection via -c/--cmd executes matches with shell:true", "url": "https://github.com/advisories/GHSA-5j98-mcp5-4vw2", "severity": "high", "cwe": [ "CWE-78" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" }, "range": ">=10.2.0 <10.5.0" } ], "effects": [ "@next/eslint-plugin-next" ], "range": "10.2.0 - 10.4.5", "nodes": [ "node_modules/glob" ], "fixAvailable": true }, "minimatch": { "name": "minimatch", "severity": "high", "isDirect": false, "via": [ { "source": 1113459, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": "<3.1.3" }, { "source": 1113465, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=9.0.0 <9.0.6" }, { "source": 1113538, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": [ "CWE-407" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.1.3" }, { "source": 1113544, "name": "minimatch", "dependency": "minimatch", "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", "severity": "high", "cwe": [ "CWE-407" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=9.0.0 <9.0.7" }, { "source": 1113546, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<3.1.4" }, { "source": 1113552, "name": "minimatch", "dependency": "minimatch", "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=9.0.0 <9.0.7" } ], "effects": [], "range": "<=3.1.3 || 9.0.0 - 9.0.6", "nodes": [ "node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch", "node_modules/glob/node_modules/minimatch", "node_modules/minimatch" ], "fixAvailable": true }, "monaco-editor": { "name": "monaco-editor", "severity": "moderate", "isDirect": false, "via": [ "dompurify" ], "effects": [], "range": ">=0.54.0-dev-20250909", "nodes": [ "node_modules/monaco-editor" ], "fixAvailable": true }, "next": { "name": "next", "severity": "high", "isDirect": true, "via": [ { "source": 1111374, "name": "next", "dependency": "next", "title": "Next Server Actions Source Code Exposure ", "url": "https://github.com/advisories/GHSA-w37m-7fhw-fmv9", "severity": "moderate", "cwe": [ "CWE-497", "CWE-502", "CWE-1395" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, "range": ">=16.0.0-beta.0 <16.0.9" }, { "source": 1111383, "name": "next", "dependency": "next", "title": "Next Vulnerable to Denial of Service with Server Components", "url": "https://github.com/advisories/GHSA-mwv6-3258-q52c", "severity": "high", "cwe": [ "CWE-400", "CWE-502", "CWE-1395" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=16.0.0-beta.0 <16.0.9" }, { "source": 1112592, "name": "next", "dependency": "next", "title": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration", "url": "https://github.com/advisories/GHSA-9g9p-9gw9-jx7f", "severity": "moderate", "cwe": [ "CWE-400", "CWE-770" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=15.6.0-canary.0 <16.1.5" }, { "source": 1112646, "name": "next", "dependency": "next", "title": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components", "url": "https://github.com/advisories/GHSA-h25m-26qc-wcjf", "severity": "high", "cwe": [ "CWE-400", "CWE-502" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=16.0.0-beta.0 <16.0.11" }, { "source": 1114898, "name": "next", "dependency": "next", "title": "Next.js: HTTP request smuggling in rewrites", "url": "https://github.com/advisories/GHSA-ggv3-7p47-pfv8", "severity": "moderate", "cwe": [ "CWE-444" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=16.0.0-beta.0 <16.1.7" }, { "source": 1114941, "name": "next", "dependency": "next", "title": "Next.js: Unbounded next/image disk cache growth can exhaust storage", "url": "https://github.com/advisories/GHSA-3x4c-7xq6-9pq8", "severity": "moderate", "cwe": [ "CWE-400" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=16.0.0-beta.0 <16.1.7" }, { "source": 1114942, "name": "next", "dependency": "next", "title": "Next.js: Unbounded postponed resume buffering can lead to DoS", "url": "https://github.com/advisories/GHSA-h27x-g6w4-24gq", "severity": "moderate", "cwe": [ "CWE-770" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=16.0.1 <16.1.7" }, { "source": 1114943, "name": "next", "dependency": "next", "title": "Next.js: null origin can bypass Server Actions CSRF checks", "url": "https://github.com/advisories/GHSA-mq59-m269-xvcx", "severity": "moderate", "cwe": [ "CWE-352" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=16.0.1 <16.1.7" }, { "source": 1115360, "name": "next", "dependency": "next", "title": "Next.js: null origin can bypass dev HMR websocket CSRF checks", "url": "https://github.com/advisories/GHSA-jcc7-9wpm-mj36", "severity": "low", "cwe": [ "CWE-1385" ], "cvss": { "score": 0, "vectorString": null }, "range": ">=16.0.1 <16.1.7" }, { "source": 1116305, "name": "next", "dependency": "next", "title": "Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ", "url": "https://github.com/advisories/GHSA-5f7q-jpqc-wp7h", "severity": "moderate", "cwe": [ "CWE-400", "CWE-409", "CWE-770" ], "cvss": { "score": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=16.0.0-beta.0 <16.1.5" }, { "source": 1116375, "name": "next", "dependency": "next", "title": "Next.js has a Denial of Service with Server Components", "url": "https://github.com/advisories/GHSA-q4gf-8mx6-v5v3", "severity": "high", "cwe": [ "CWE-770" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=16.0.0-beta.0 <16.2.3" } ], "effects": [], "range": "15.6.0-canary.0 - 16.2.2", "nodes": [ "node_modules/next" ], "fixAvailable": true }, "picomatch": { "name": "picomatch", "severity": "high", "isDirect": false, "via": [ { "source": 1115549, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": "<2.3.2" }, { "source": 1115551, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", "severity": "moderate", "cwe": [ "CWE-1321" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, "range": ">=4.0.0 <4.0.4" }, { "source": 1115552, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": "<2.3.2" }, { "source": 1115554, "name": "picomatch", "dependency": "picomatch", "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers", "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", "severity": "high", "cwe": [ "CWE-1333" ], "cvss": { "score": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "range": ">=4.0.0 <4.0.4" } ], "effects": [], "range": "<=2.3.1 || 4.0.0 - 4.0.3", "nodes": [ "node_modules/picomatch", "node_modules/tinyglobby/node_modules/picomatch" ], "fixAvailable": true } }, "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 5, "high": 8, "critical": 0, "total": 13 }, "dependencies": { "prod": 300, "dev": 301, "optional": 63, "peer": 5, "peerOptional": 0, "total": 641 } } }