Next.js Race Condition to Cache Poisoning

GHSA-qpjv-v59x-3qc4 · CVE-2025-32421

Published May 15, 2025 · Modified Sep 26, 2025

Description

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-32421
PACKAGE https://github.com/vercel/next.js
WEB https://vercel.com/changelog/cve-2025-32421

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes