Next.js has a Cache poisoning vulnerability due to omission of the Vary header

GHSA-r2fc-ccr8-96c4 · CVE-2025-49005

Published Jul 3, 2025 · Modified Feb 4, 2026

Description

Summary

A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.

More details: CVE-2025-49005

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-49005
WEB https://github.com/vercel/next.js/issues/79346
WEB https://github.com/vercel/next.js/pull/79939
WEB https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066
PACKAGE https://github.com/vercel/next.js
WEB https://github.com/vercel/next.js/releases/tag/v15.3.3
WEB https://vercel.com/changelog/cve-2025-49005

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes