Next.JS vulnerability can lead to DoS via cache poisoning

GHSA-67rr-84xm-4c7r · CVE-2025-49826

Published Jul 3, 2025 · Modified Jul 3, 2025

Description

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

Allam Rachid zhero;
Allam Yasser (inzo)

References

WEB https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-49826
WEB https://github.com/vercel/next.js/commit/16bfce64ef2157f2c1dfedcfdb7771bc63103fd2
WEB https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93
PACKAGE https://github.com/vercel/next.js
WEB https://github.com/vercel/next.js/releases/tag/v15.1.8
WEB https://vercel.com/changelog/cve-2025-49826

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes