Next.js Cache Poisoning Vulnerability Let Attackers Trigger DoS Condition

A critical security vulnerability has been identified and patched in Next.js, the popular React-based web framework.

The vulnerability, designated as CVE-2025-49826, affects specific versions of the framework and could allow attackers to exploit cache poisoning mechanisms to trigger denial-of-service conditions on vulnerable applications.

The security issue impacts Next.js versions ranging from 15.1.0 to 15.1.7, with version 15.1.8 serving as the patched release.

According to the security advisory published by Aaron Brown, Head of Security at Vercel, and Zack Tanner, the vulnerability centers around a cache poisoning bug that specifically targets the framework’s caching mechanisms.

The technical nature of this vulnerability involves the improper handling of HTTP responses within Next.js’s caching infrastructure. Under certain configurations, the vulnerability allows HTTP 204 (No Content) responses to be incorrectly cached for static pages, subsequently causing these empty responses to be served to all users attempting to access the affected pages.

This behavior effectively renders the targeted pages inaccessible, creating a denial-of-service condition that can significantly impact application availability.

The vulnerability represents a particularly insidious form of attack because it leverages the framework’s own performance optimization features against itself.

By manipulating the caching layer, attackers can poison the cache with invalid responses, causing legitimate user requests to receive empty content instead of the expected page data.

Next.js Cache Poisoning Vulnerability

For this vulnerability to be exploitable, several specific conditions must be met simultaneously:

• Affected Next.js Version: The application must be running an affected version of Next.js between 15.1.0 and 15.1.7.
  
• ISR Configuration: The application must utilize a route that implements cache revalidation with Incremental Static Regeneration (ISR) while operating in either next start or standalone mode.
  
• SSR and CDN Setup: The vulnerable configuration requires a route using Server-Side Rendering (SSR) combined with a Content Delivery Network (CDN) that is configured to cache HTTP 204 responses.
  This combination of factors creates the perfect storm for exploitation, as the CDN’s caching behavior amplifies the impact of the poisoned cache entries.

Platform-Specific Protection: Importantly, the security advisory notes that customers hosted on Vercel’s platform are not affected by this vulnerability. This exemption likely stems from Vercel’s specific infrastructure configurations and additional security measures that prevent the exploitation conditions from being met in their hosting environment.

The technical nature of this vulnerability makes it particularly concerning because it leverages the framework’s own performance optimization features against itself, effectively turning Next.js’s caching mechanisms into a vector for denial-of-service attacks.

Responsible Disclosure

The Next.js development team addressed the vulnerability through a comprehensive fix that eliminated the problematic code path responsible for generating the inappropriate 204 responses.

The resolution also involved removing a race condition that contributed to the cache poisoning scenario by eliminating the framework’s reliance on shared response objects for populating the Next.js response cache.

This multi-faceted approach ensures that the vulnerability cannot be exploited through alternative attack vectors and provides a robust defense against similar cache poisoning scenarios in the future.

The fix demonstrates the development team’s commitment to addressing not just the immediate symptoms but also the underlying architectural issues that enabled the vulnerability.

The security researchers Allam Rachid (zhero) and Allam Yasser (inzo_) receive credit for their responsible disclosure of this vulnerability, following established security protocols that allowed the development team to address the issue before it could be widely exploited.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.