Next.js Cache Poisoning Vulnerability (CVE-2025-49826)
Introduction
Imagine your popular Next.js-powered website suddenly serving blank pages to every visitor, effectively disappearing from the internet. This alarming scenario could become reality due to CVE-2025-49826, a cache poisoning vulnerability discovered in Next.js versions 15.1.0 through 15.1.7. This seemingly innocuous issue involving HTTP 204 responses can lead to widespread Denial of Service (DoS), severely impacting your site's availability.
Technical Information
The vulnerability specifically targets the caching mechanism of Next.js, where HTTP 204 responses—indicating successful processing without content—are mistakenly cached for static pages. According to RFC 9111, responses with no content should never be cached. However, due to a logic flaw, Next.js versions 15.1.0 to 15.1.7 incorrectly cache these responses.
Attackers exploit this flaw by crafting requests that trigger a 204 response on static pages. Once cached, this response is served to all subsequent visitors, rendering the page inaccessible. The root cause is an inconsistent interpretation of HTTP responses between Next.js and caching layers, classified under CWE-444.
Patch Information
In response to the cache poisoning vulnerability identified in Next.js versions 15.1.0 through 15.1.7, the development team implemented a comprehensive fix to prevent unintended caching of HTTP 204 responses.
Key Changes in the Patch:
-
Elimination of Problematic Code Path:
- The code responsible for generating HTTP 204 responses under specific conditions was removed.
-
Resolution of Race Condition:
- A race condition was identified and resolved by ensuring each request generates its own response object.
Code Modifications:
// Before the patch if (shouldSend204Response) { res.status(204).end(); return; } // After the patch // The above code block has been removed to prevent unintended 204 responses
Users are strongly encouraged to upgrade to version 15.1.8 or later to benefit from these security enhancements.
Affected Systems and Versions
- Next.js versions 15.1.0 through 15.1.7
- Self-hosted deployments (Vercel-hosted applications are unaffected)
Vendor Security History
Vercel has a robust security response program, promptly addressing vulnerabilities with transparent advisories. Previous vulnerabilities, such as CVE-2025-29927 and CVE-2024-46982, were swiftly mitigated, demonstrating Vercel's commitment to security.
References
Stay vigilant and ensure your Next.js applications are updated promptly to avoid falling victim to this subtle yet impactful vulnerability.
Source: This report was created using AI
If you have suggestions for improvement or feedback, please reach out to us at [email protected]