View online: https://www.drupal.org/sa-contrib-2025-122 Project: Next.js [1] Date: 2025-December-03 Security risk: *Critical* 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Affected versions: <1.6.4 || >=2.0.0 <2.0.1 CVE IDs: CVE-2025-13984 Description:  This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent. This vulnerability affects all installations as there are no configuration options to disable this behavior. Solution:  There are two steps to resolve the issue: Install the latest version and review your configuration, 1) Update the module: * If you use the Next.js module for Drupal 10 or 11, upgrade to Next.js 2.0.1 [3]. * If you use the Next.js module for Drupal 9 (1.x branch), upgrade to Next.js 1.6.4 [4]. 2) After upgrading, review the CORS configuration in sites/default/services.yml. (See this module's CORS.md for details.). This is especially important if you previously relied on the automatic CORS configuration. Reported By:  * Mike Decker (pookmish) [5] Fixed By:  * Brian Perry (brianperry) [6] * Rob Decker (rrrob) [7] Coordinated By:  * Bram Driesen (bramdriesen) [8] provisional member of the Drupal Security Team * Greg Knaddison (greggles) [9] of the Drupal Security Team * Jess (xjm) [10] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [11] [1] https://www.drupal.org/project/next [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/next/releases/2.0.1 [4] https://www.drupal.org/project/next/releases/1.6.4 [5] https://www.drupal.org/u/pookmish [6] https://www.drupal.org/u/brianperry [7] https://www.drupal.org/u/rrrob [8] https://www.drupal.org/u/bramdriesen [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/xjm [11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....