CVE-2025-49826
BaseFortify
Publication date: 2025-07-03
Last updated on: 2025-09-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vercel | next.js | From 15.0.4 (exc) to 15.1.8 (exc) |
| vercel | next.js | 15.0.4 |
| vercel | next.js | 15.0.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cache poisoning bug in Next.js versions 15.1.0 to before 15.1.8. Under certain conditions, a HTTP 204 response (No Content) can be cached for static pages, causing that 204 response to be served to all users trying to access the page. This leads to a Denial of Service (DoS) condition because users receive no content instead of the expected page.
How can this vulnerability impact me? :
The vulnerability can cause a Denial of Service (DoS) condition by serving a cached HTTP 204 response to all users accessing affected static pages, effectively making the pages unavailable to users. This can disrupt the availability of your web application.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Next.js to version 15.1.8 or later, as this version addresses the cache poisoning bug that leads to the Denial of Service condition.