Security Vulnerabilities

Reference of CVEs affecting this project's dependency stack. All listed vulnerabilities are patched in current installed versions.

Last audited: 2026-02-12 Stack: Next.js 15.5.12, React 19.2.4, Tailwind CSS 4.x, highlight.js 11.11.1, marked 16.4.1

Critical

GHSA: GHSA-fv66-9v8q-g76r (React), GHSA-9qr9-h5gf-34mp (Next.js)
CVSS: 10.0 Critical
Disclosed: December 3, 2025
Description: Pre-auth remote code execution via React Server Components "Flight" protocol. Crafted HTTP request triggers unsafe deserialization, allowing arbitrary code execution on the server. No auth or user interaction required. Added to CISA KEV catalog Dec 5, 2025. Actively exploited in the wild within hours of disclosure.
Affected: React 19.0.0-19.2.0, Next.js 15.0.0-15.5.6
Fixed: React 19.2.1+, Next.js 15.4.8+
This project: Patched in commit a4bdc3d

GHSA: GHSA-f82v-jwr5-mffw
CVSS: 9.1 Critical
Disclosed: March 21, 2025
Description: Middleware bypass via x-middleware-subrequest internal header. This header, meant to prevent infinite loops, is blindly trusted without origin verification. Attacker adds the header to skip all middleware checks -- accessing protected routes, admin panels, and APIs.
Affected: Next.js < 15.2.3
Fixed: Next.js 15.2.3+

GHSA: GHSA-mwv6-3258-q52c (Next.js), GHSA-7gmr-mq3h-m5h9 (React)
CVSS: 7.5 High
Disclosed: December 11, 2025
Description: Crafted HTTP request causes infinite loop during RSC payload deserialization, hanging the server and blocking all future requests. Initial fix was incomplete (see CVE-2025-67779).
Affected: React 19.0.0-19.2.1, Next.js >= 13.3 through 15.5.7
Fixed: React 19.2.2+, Next.js 15.5.8+

GHSA: GHSA-5j59-xgg2-r9c4
CVSS: 7.5 High
Disclosed: December 11, 2025 (addendum January 26, 2026)
Description: The fix for CVE-2025-55184 was incomplete. Certain payload types could still trigger infinite loops causing server hangs and CPU exhaustion.
Affected: React 19.0.2, 19.1.3, 19.2.2 (the "patched" versions), Next.js through 15.5.8
Fixed: React 19.2.3+, Next.js 15.5.9+

GHSA: GHSA-83fc-fqcc-2hmg
CVSS: 7.5 High
Disclosed: January 26, 2026
Description: Additional DoS vectors persisted through prior patches. Crafted requests cause crashes, out-of-memory exceptions, or excessive CPU usage on Server Function endpoints.
Affected: React 19.0.0-19.2.3
Fixed: React 19.2.4+

GHSA: GHSA-w37m-7fhw-fmv9 (Next.js), GHSA-925w-6v3x-g4j4 (React)
CVSS: 5.3 Medium
Disclosed: December 11, 2025
Description: Crafted request returns compiled source of Server Functions via .toString() on server function objects. Reveals business logic; if secrets are hardcoded (not env vars), they leak too.
Affected: React 19.0.0-19.2.1, Next.js through 15.5.8
Fixed: React 19.2.3+, Next.js 15.5.9+

GHSA: GHSA-xv57-4mr9-wg8v
CVSS: 4.3 Moderate
Disclosed: August 29, 2025
Description: External image sources trigger file downloads with arbitrary content/filenames when using images.domains or images.remotePatterns. Potential phishing/malware delivery vector.
Affected: Next.js < 14.2.31, 15.0.0-15.4.4
Fixed: Next.js 15.4.5+

GHSA: GHSA-g5qg-72qw-gw5v
CVSS: 6.2 Moderate
Disclosed: August 29, 2025
Description: API routes returning images that vary by request headers (Cookie, Authorization) get incorrectly cached and served to unauthorized users due to cache key confusion.
Affected: Next.js < 14.2.31, 15.0.0-15.4.4
Fixed: Next.js 15.4.5+

GHSA: GHSA-223j-4rm8-mrmf
CVSS: 1.7 Low
Disclosed: April 2, 2025
Description: Introduced during fix for CVE-2025-29927. The x-middleware-subrequest-id header persists across requests and leaks to third-party hosts when fetch() is called from middleware.
Affected: Next.js <= 15.2.3
Fixed: Next.js 15.2.4+

Package	Version	Status
Tailwind CSS	4.x	No known CVEs
highlight.js	11.11.1	No known CVEs (last CVE was 2020, fixed in 10.1.2)
marked	16.4.1	No known CVEs (historical ReDoS/XSS fixed in 4.x)