AI description
CVE-2025-49826 is a vulnerability affecting the Next.js React framework. It involves a cache poisoning bug that can lead to a Denial of Service (DoS) condition. The vulnerability exists in Next.js versions 15.0.4-canary.51 up to, but not including, 15.1.8. Under specific conditions, the vulnerability allows an HTTP 204 response to be cached for static pages. This can result in the 204 response being served to all users attempting to access the page, effectively making the content inaccessible. The issue has been resolved in Next.js version 15.1.8 by removing the problematic code path and eliminating a race condition.
- Description
- Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.5
- Impact score
- 3.6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-444
- Hype score
- Not currently trending
Hi ! HExHTTP v1.9.2: News: - CVE Next.js CPDoS by @zhero___ research & @Wlayzz PoC (CVE-2025-49826) - Module to check CP via backslash transformation - Akamai checks Updated: -Cleaning & tidying up threads - +50 new HTTP methods & more ! HF ! https://t.co/rKm
@c0dejump
15 Jul 2025
19 Impressions
1 Retweet
1 Like
1 Bookmark
0 Replies
0 Quotes
⚠️Vulnerabilidad en Next.js ❗CVE-2025-49826 ➡️Más info: https://t.co/5jtsMmxFqD https://t.co/Kd6oucpPln
@CERTpy
9 Jul 2025
80 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Next.js 204 DOS CVE-2025-49826 https://t.co/X7wjwHuHq4
@hir0k1sawada
8 Jul 2025
855 Impressions
1 Retweet
7 Likes
1 Bookmark
0 Replies
0 Quotes
Next.js Flaw (CVE-2025-49826): Cache poisoning in v15.1.0-15.1.7. Update to stay safe! 🔍 #WebSecurity https://t.co/QKfshc04dB
@CyberWolfGuard
7 Jul 2025
45 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-49826 : ทําพิษแคชใน Next js การแคชแบบไม่มีกําหนดของการตอบสนอง 204 ทําให้ไม่สามารถเข้าถึงเพจที่ได้รับผลกร
@freedomhack101
7 Jul 2025
129 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
Next.jsにキャッシュポイズニング脆弱性(CVE-2025-49826) #セキュリティ対策Lab #セキュリティ #Security https://t.co/aPPvP6UzgZ
@securityLab_jp
7 Jul 2025
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-49826: Next.js Cache Poisoning https://t.co/7pTkYIsKnC affects versions 15.1.0 through 15.1.7. 📊11.6M Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/lW50g3nZjU 👇Query HUNTER : https://t.co/q9rtuGgxk7="Next.js" h
@HunterMapping
7 Jul 2025
4116 Impressions
20 Retweets
69 Likes
35 Bookmarks
1 Reply
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2023-20867 2 - CVE-2024-29745 3 - CVE-2025-5777 4 - CVE-2025-49826 5 - CVE-2023-52927 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
6 Jul 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical NextJS vulnerability (CVE-2025-49826) allows cache poisoning leading to DoS attacks. Affected versions: 15.1.0-15.1.8. Update to 15.1.8+ immediately! Link: https://t.co/nchw4Fbm8l #Security #Vulnerability #Update #NextJS #Cache #Poisoning #Attack #DoS #Software #Patch
@dailytechonx
5 Jul 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚡️The vulnerability details are now available: https://t.co/cyR5erFxXF 🚨🚨CVE-2025-49826 hits Next.js with a nasty cache poisoning bug! This flaw lets attackers trigger a DoS by caching HTTP 204 responses for static pages, serving blank responses to ALL users. Search
@zoomeye_team
5 Jul 2025
600 Impressions
0 Retweets
7 Likes
3 Bookmarks
0 Replies
0 Quotes
🔴 NextJS, Denial of Service (DoS) via Cache Poisoning, #CVE-2025-49826 (High Severity) https://t.co/9kagwFwssk
@dailycve
5 Jul 2025
47 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
Next.jsに深刻な脆弱性(CVE-2025-49826)が発見された。攻撃者が意図的にHTTP 204の空のレスポンスをキャッシュに注入することで以降そのページにアクセスする全ユーザーに空白ページが返され続けるDoS攻撃につ
@yousukezan
5 Jul 2025
1284 Impressions
3 Retweets
19 Likes
4 Bookmarks
0 Replies
0 Quotes
back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826 both routers are impacted: app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN pages router: SSR pages only + requires a misconfigured CDN
@inzo____
4 Jul 2025
8193 Impressions
16 Retweets
160 Likes
52 Bookmarks
3 Replies
0 Quotes
CVE-2025-49826: DoS in Next.js, 7.5 rating❗️ A vulnerability in some versions of the Next.js framework allows attackers to perform cache poisoning, leading to a DoS. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/0tGXhfN3ou #cybersecurity #vulnerability_map htt
@Netlas_io
4 Jul 2025
43 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-49826 Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of S… https://t.co/36mECxIvAK
@CVEnew
3 Jul 2025
677 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes