CVE-2025-32421

Published May 14, 2025

Last updated 3 days ago

CVSS low 3.7
React
Next.js

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-32421 is a race condition vulnerability affecting the Next.js framework, specifically impacting the Pages Router under certain misconfigurations. This vulnerability can cause normal endpoints to serve `pageProps` data instead of standard HTML. The issue affects Next.js versions prior to 14.2.24 and 15.1.6. The vulnerability can be exploited when an attacker leverages a race condition between two requests: one containing the `?__nextDataRequest=1` query parameter and another with the `x-now-route-matches` header. Some CDN providers might cache a 200 OK response even without explicit cache-control headers, which could lead to a poisoned response being served to subsequent users. The vulnerability was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests.

Description
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
3.7
Impact score
1.4
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity
LOW

Weaknesses

security-advisories@github.com
CWE-362

Social media

Hype score
Not currently trending

  1. publication of my latest modest paper; Eclipse on Next.js: Conditioned exploitation of an intended race-condition - (CVE-2025-32421) enabling a partial bypass of my previous vulnerability, CVE-2024-46982 by chaining a race-condition to a cache-poisoning https://t.co/NV8IYWvkil

    @zhero___

    17720 Impressions

    79 Retweets

    380 Likes

    135 Bookmarks

    7 Replies

    5 Quotes

  2. CVE-2025-32421 Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affec… https://t.co/aXCuhn2LpP

    @CVEnew

    569 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. with the security advisory published, I should publish my paper within a few hours Race-Condition to Cache Poisoning - CVE-2025-32421 on @nextjs partially leading to the bypass of my previous vulnerability the CVE-2024-46982 https://t.co/bQq01hn8Hl

    @zhero___

    11879 Impressions

    27 Retweets

    327 Likes

    91 Bookmarks

    9 Replies

    1 Quote

References

Sources include official advisories and independent security research.