CVE-2025-13984 | THREATINT

Description

Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.

PUBLISHED Reserved 2025-12-03 | Published 2026-01-28 | Updated 2026-01-28 | Assigner drupal

Problem types

CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains

Product status

Default status

unaffected

0.0.0 (semver) before 1.6.4

affected

2.0.0 (semver) before 2.0.1

affected

Credits

Mike Decker (pookmish) finder

Brian Perry (brianperry) remediation developer

Rob Decker (rrrob) remediation developer

Bram Driesen (bramdriesen) coordinator

Greg Knaddison (greggles) coordinator

Jess (xjm) coordinator

References

www.drupal.org/sa-contrib-2025-122

cve.org (CVE-2025-13984)

nvd.nist.gov (CVE-2025-13984)

Download JSON