Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2025-63706: Next NPM Version Vulnerable to Untrusted Input
CVE-2025-63706
GHSA-2xx6-qf7x-grqh
Summary
The Next NPM Version package is used in some projects to update NPM packages. If an attacker can inject malicious input, they may be able to execute arbitrary system commands, potentially allowing them to access or modify sensitive data. To mitigate this risk, consider updating to a secure version of the package or removing it altogether if not essential to your project.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| npm | jswork | next-npm-version | 1.0.1 |
Original title
next-npm-version is vulnerable to Command injection
Original description
NPM package next-npm-version1.0.1 is vulnerable to Command injection.
Vulnerability type
CWE-94
Code Injection
Published: 7 May 2026 · Updated: 30 May 2026 · First seen: 7 May 2026