trpc-next-0.5.41.tgz: 7 vulnerabilities (highest severity is: 10.0) #63
Description
Vulnerable Library - trpc-next-0.5.41.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (trpc-next version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-55182 |  Critical |
10.0 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-67779 |  High |
7.5 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-55184 | High |
7.5 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-57822 |  Medium |
6.5 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-57752 | Medium |
6.2 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-55183 | Medium |
5.3 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-55173 | Medium |
4.3 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-55182
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.41.tgz (Root Library)
- next-11.8.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.8.0.tgz
Found in base branch: main
Vulnerability Details
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.
Publish Date: 2025-12-03
URL: CVE-2025-55182
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-fv66-9v8q-g76r
Release Date: 2025-12-03
Fix Resolution: next - 15.0.5,next - 15.4.8,next - 15.5.7,next - 15.1.9,next - 16.0.7,next - 15.2.6,next - 15.3.6,react-server-dom-turbopack - 19.1.2,https://github.com/facebook/react.git - v19.1.2,https://github.com/facebook/react.git - v19.0.1,https://github.com/facebook/react.git - v19.2.1,react-server-dom-turbopack - 19.2.1,react-server-dom-parcel - 19.1.2,react-server-dom-turbopack - 19.0.1,react-server-dom-webpack - 19.0.1,react-server-dom-webpack - 19.1.2,react-server-dom-webpack - 19.2.1,react-server-dom-parcel - 19.2.1
Step up your Open Source Security Game with Mend here
CVE-2025-67779
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.41.tgz (Root Library)
- next-11.8.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.8.0.tgz
Found in base branch: main
Vulnerability Details
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Publish Date: 2025-12-12
URL: CVE-2025-67779
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-12
Fix Resolution: next - 15.1.9,next - 15.2.6,next - 15.5.7,next - 15.3.6,react-server-dom-parcel - 19.2.3,next - 15.4.8,next - 15.0.5,next - 16.0.7,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.0.3,react-server-dom-turbopack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-webpack - 19.1.4,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
CVE-2025-55184
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.41.tgz (Root Library)
- next-11.8.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.8.0.tgz
Found in base branch: main
Vulnerability Details
A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints, which can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Publish Date: 2025-12-11
URL: CVE-2025-55184
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-11
Fix Resolution: next - 15.3.6,react-server-dom-parcel - 19.2.3,next - 15.5.7,next - 15.1.9,next - 16.0.7,next - 15.0.5,next - 15.2.6,next - 15.4.8,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.1.4,react-server-dom-turbopack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-webpack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
CVE-2025-57822
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.41.tgz (Root Library)
- next-11.8.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.8.0.tgz
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js Middleware versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-08-29
URL: CVE-2025-57822
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-4342-x723-ch2f
Release Date: 2025-08-29
Fix Resolution: next - 14.2.32,next - 15.4.7,https://github.com/vercel/next.js.git - v14.2.32,https://github.com/vercel/next.js.git - v15.4.7
Step up your Open Source Security Game with Mend here
CVE-2025-57752
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.41.tgz (Root Library)
- next-11.8.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.8.0.tgz
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
Publish Date: 2025-08-29
URL: CVE-2025-57752
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-g5qg-72qw-gw5v
Release Date: 2025-08-29
Fix Resolution: next - 15.4.5,next - 14.2.31
Step up your Open Source Security Game with Mend here
CVE-2025-55183
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.41.tgz (Root Library)
- next-11.8.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.8.0.tgz
Found in base branch: main
Vulnerability Details
An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.
Publish Date: 2025-12-11
URL: CVE-2025-55183
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-11
Fix Resolution: next - 15.5.7,next - 15.4.8,next - 16.0.7,next - 15.1.9,next - 15.2.6,next - 15.3.6,next - 15.0.5,react-server-dom-webpack - 19.1.4,react-server-dom-turbopack - 19.1.4,react-server-dom-webpack - 19.0.3,react-server-dom-webpack - 19.2.3,react-server-dom-parcel - 19.2.3,react-server-dom-turbopack - 19.2.3,react-server-dom-turbopack - 19.0.3,react-server-dom-parcel - 19.1.4
Step up your Open Source Security Game with Mend here
CVE-2025-55173
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- trpc-next-0.5.41.tgz (Root Library)
- next-11.8.0.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.8.0.tgz
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
Publish Date: 2025-08-29
URL: CVE-2025-55173
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-xv57-4mr9-wg8v
Release Date: 2025-08-29
Fix Resolution: next - 14.2.31,next - 15.4.5
Step up your Open Source Security Game with Mend here