@stryke/trpc-next-0.5.22.tgz: 3 vulnerabilities (highest severity is: 6.5) - autoclosed #44
Description
Vulnerable Library - @stryke/trpc-next-0.5.22.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (@stryke/trpc-next version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-57822 |  Medium |
6.5 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-57752 | Medium |
6.2 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
| CVE-2025-55173 | Medium |
4.3 | next-15.2.4.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-57822
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.22.tgz (Root Library)
- next-11.7.2.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.7.2.tgz
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js Middleware versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-08-29
URL: CVE-2025-57822
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-4342-x723-ch2f
Release Date: 2025-08-29
Fix Resolution: next - 14.2.32,next - 15.4.7,https://github.com/vercel/next.js.git - v14.2.32,https://github.com/vercel/next.js.git - v15.4.7
Step up your Open Source Security Game with Mend here
CVE-2025-57752
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.22.tgz (Root Library)
- next-11.7.2.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.7.2.tgz
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.
Publish Date: 2025-08-29
URL: CVE-2025-57752
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-g5qg-72qw-gw5v
Release Date: 2025-08-29
Fix Resolution: next - 15.4.5,next - 14.2.31
Step up your Open Source Security Game with Mend here
CVE-2025-55173
Vulnerable Library - next-15.2.4.tgz
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-15.2.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @stryke/trpc-next-0.5.22.tgz (Root Library)
- next-11.7.2.tgz
- ❌ next-15.2.4.tgz (Vulnerable Library)
- next-11.7.2.tgz
Found in base branch: main
Vulnerability Details
Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5.
Publish Date: 2025-08-29
URL: CVE-2025-55173
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-xv57-4mr9-wg8v
Release Date: 2025-08-29
Fix Resolution: next - 14.2.31,next - 15.4.5
Step up your Open Source Security Game with Mend here