CVE-2025-49826

Next.js DoS vulnerability via cache poisoning

CVSS 7.5 HIGHEPSS 0.8%CWE-444

In short

Next.js has a caching bug that can cause a web server to respond with a 204 (no content) error to all users visiting a page, making that page unavailable. An attacker can trigger this by crafting specific HTTP requests, disrupting service for everyone.

Technical detail

A cache poisoning vulnerability in Next.js versions 15.0.4-canary.51 through 15.1.7 allows HTTP 204 responses to be incorrectly cached for static pages under certain conditions, leading to DoS via widespread cache corruption. The attack vector involves HTTP requests that trigger improper cache storage, affecting all subsequent requests to the poisoned page. Remediated in version 15.1.8.

Summary generated and translated by AI from the official description.

Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

vercel · next.js

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93 https://github.com/vercel/next.js/releases/tag/v15.1.8 https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r https://vercel.com/changelog/cve-2025-49826