Next.js Cache Poisoning Vulnerability (CVE-2025-49826): How a Simple 204 Response Could Take Down Your Site

Explore the technical details behind CVE-2025-49826, a cache poisoning vulnerability in Next.js that can lead to widespread Denial of Service through improper caching of HTTP 204 responses.
CVE Analysis

7 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-03

Next.js Cache Poisoning Vulnerability (CVE-2025-49826): How a Simple 204 Response Could Take Down Your Site

Next.js Cache Poisoning Vulnerability (CVE-2025-49826)

Introduction

Imagine your popular Next.js-powered website suddenly serving blank pages to every visitor, effectively disappearing from the internet. This alarming scenario could become reality due to CVE-2025-49826, a cache poisoning vulnerability discovered in Next.js versions 15.1.0 through 15.1.7. This seemingly innocuous issue involving HTTP 204 responses can lead to widespread Denial of Service (DoS), severely impacting your site's availability.

Technical Information

The vulnerability specifically targets the caching mechanism of Next.js, where HTTP 204 responses—indicating successful processing without content—are mistakenly cached for static pages. According to RFC 9111, responses with no content should never be cached. However, due to a logic flaw, Next.js versions 15.1.0 to 15.1.7 incorrectly cache these responses.

Attackers exploit this flaw by crafting requests that trigger a 204 response on static pages. Once cached, this response is served to all subsequent visitors, rendering the page inaccessible. The root cause is an inconsistent interpretation of HTTP responses between Next.js and caching layers, classified under CWE-444.

Patch Information

In response to the cache poisoning vulnerability identified in Next.js versions 15.1.0 through 15.1.7, the development team implemented a comprehensive fix to prevent unintended caching of HTTP 204 responses.

Key Changes in the Patch:

  1. Elimination of Problematic Code Path:

    • The code responsible for generating HTTP 204 responses under specific conditions was removed.
  2. Resolution of Race Condition:

    • A race condition was identified and resolved by ensuring each request generates its own response object.

Code Modifications:

// Before the patch if (shouldSend204Response) { res.status(204).end(); return; } // After the patch // The above code block has been removed to prevent unintended 204 responses

Users are strongly encouraged to upgrade to version 15.1.8 or later to benefit from these security enhancements.

Affected Systems and Versions

  • Next.js versions 15.1.0 through 15.1.7
  • Self-hosted deployments (Vercel-hosted applications are unaffected)

Vendor Security History

Vercel has a robust security response program, promptly addressing vulnerabilities with transparent advisories. Previous vulnerabilities, such as CVE-2025-29927 and CVE-2024-46982, were swiftly mitigated, demonstrating Vercel's commitment to security.

References

Stay vigilant and ensure your Next.js applications are updated promptly to avoid falling victim to this subtle yet impactful vulnerability.

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss