next vulnerability in getsentry/sentry-javascript

Reachability: [Always Reachable](https://semgrep.dev/docs/semgrep-supply-chain/glossary#reachable-finding-and-reachable-vulnerability)

Vulnerable code in [yarn.lock:23093](https://github.com/getsentry/sentry-javascript/blob/71384a2487c4e044c5c8f9d5cfa2ce4ac71e6a11/yarn.lock#L23093)

Affected versions of next are vulnerable to Dependency on Vulnerable Third-Party Component / Deserialization of Untrusted Data / Uncontrolled Resource Consumption. An attacker can send a specially crafted HTTP request to any Server Function endpoint (as used by Next.js' App Router) that, when deserialized by the React Server Components runtime, enters an infinite loop—hanging the server process, exhausting CPU, and resulting in a denial-of-service.

Severity: High

Current version: 13.5.9

Recommended fix version: 14.2.35

References:

* [semgrep rule](https://semgrep.dev/orgs/-/supply-chain/advisories?q=ssc-b94a740c-3b13-43fd-9f2d-4d8bb0fe0b69)
* [https://github.com/advisories/GHSA-5j59-xgg2-r9c4](https://github.com/advisories/GHSA-5j59-xgg2-r9c4)
* [https://nvd.nist.gov/vuln/detail/CVE-2025-67779](https://nvd.nist.gov/vuln/detail/CVE-2025-67779)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

next vulnerability in getsentry/sentry-javascript #18645

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

next vulnerability in getsentry/sentry-javascript #18645

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions