GHSA-ffhc-5mcf-pf4q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ffhc-5mcf-pf4q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-ffhc-5mcf-pf4q/GHSA-ffhc-5mcf-pf4q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ffhc-5mcf-pf4q
- Aliases
-
- CVE-2026-44581
- Related
- Published
- 2026-05-11T15:57:12Z
- Modified
- 2026-05-13T03:44:29.800788517Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
- Details
-
Impact
App Router applications that rely on CSP nonces can be vulnerable to stored cross-site scripting when deployed behind shared caches. In affected versions, malformed nonce values derived from request headers could be reflected into rendered HTML in an unsafe way, allowing an attacker to poison cached responses and cause script execution for later visitors.
Fix
We now reject or ignore malformed nonce values before they are embedded into HTML and apply stricter nonce sanitization so request-derived nonce data cannot break out of the intended attribute context.
Workarounds
If you cannot upgrade immediately, strip inbound
Content-Security-Policyrequest headers from untrusted traffic. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-11T15:57:12Z", "nvd_published_at": null, "severity": "MODERATE", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next
npm / next
Package
- Name
- next
- View open source insights on deps.dev
- Purl
- pkg:npm/next