CVE-2025-49005
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-03

Last updated on: 2025-09-10

Assigner: GitHub, Inc.

Description
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-03
Last Modified
2025-09-10
Generated
2026-05-06
AI Q&A
2025-07-04
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49005
EUVD
EUVD-2025-19911
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vercel next.js From 15.3.0 (inc) to 15.3.3 (exc)
vercel vercel From 41.4.1 (inc) to 42.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a cache poisoning issue in Next.js App Router versions 15.3.0 to before 15.3.3 and Vercel CLI versions 41.4.1 to 42.2.0. It allows page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. This means that the cached content served to users could be incorrect or unexpected.


How can this vulnerability impact me? :

If you deploy Next.js on Vercel, this vulnerability would only impact the browser cache and would not poison the CDN cache. However, if you self-host and deploy externally, and your CDN does not properly distinguish between RSC and HTML in cache keys, this could lead to cache poisoning. This means users might receive incorrect or unintended content, potentially affecting user experience or application behavior.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Next.js to version 15.3.3 or later and Vercel CLI to a version later than 42.2.0 to resolve the cache poisoning vulnerability. Additionally, if self-hosting and using an external CDN, ensure the CDN properly distinguishes between React Server Component (RSC) and HTML content in cache keys to prevent cache poisoning.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart