CVE-2025-49826

Published Jul 3, 2025

Last updated 6 months ago

CVSS high 7.5
React
Next.js

Overview

Description
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.
Source
security-advisories@github.com
NVD status
Analyzed
Products
next.js

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-444

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #CachePoisoning Next.js Flaw (CVE-2025-49826, CVSS 7.5): Cache Poisoning Leads to Denial-of-Service https://t.co/dWO5jp7NG9

    @Komodosec

    9 Aug 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Hi ! HExHTTP v1.9.2: News: - CVE Next.js CPDoS by @zhero___ research & @Wlayzz PoC (CVE-2025-49826) - Module to check CP via backslash transformation - Akamai checks Updated: -Cleaning & tidying up threads - +50 new HTTP methods & more ! HF ! https://t.co/rKm

    @c0dejump

    15 Jul 2025

    19 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  3. ⚠️Vulnerabilidad en Next.js ❗CVE-2025-49826 ➡️Más info: https://t.co/5jtsMmxFqD https://t.co/Kd6oucpPln

    @CERTpy

    9 Jul 2025

    80 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Next.js 204 DOS CVE-2025-49826 https://t.co/X7wjwHuHq4

    @hir0k1sawada

    8 Jul 2025

    855 Impressions

    1 Retweet

    7 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. Next.js Flaw (CVE-2025-49826): Cache poisoning in v15.1.0-15.1.7. Update to stay safe! 🔍 #WebSecurity https://t.co/QKfshc04dB

    @CyberWolfGuard

    7 Jul 2025

    45 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-49826 : ทําพิษแคชใน Next js การแคชแบบไม่มีกําหนดของการตอบสนอง 204 ทําให้ไม่สามารถเข้าถึงเพจที่ได้รับผลกร

    @freedomhack101

    7 Jul 2025

    129 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Next.jsにキャッシュポイズニング脆弱性(CVE-2025-49826) #セキュリティ対策Lab #セキュリティ #Security https://t.co/aPPvP6UzgZ

    @securityLab_jp

    7 Jul 2025

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨Alert🚨 CVE-2025-49826: Next.js Cache Poisoning https://t.co/7pTkYIsKnC affects versions 15.1.0 through 15.1.7. 📊11.6M Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter Link:https://t.co/lW50g3nZjU 👇Query HUNTER : https://t.co/q9rtuGgxk7="Next.js" h

    @HunterMapping

    7 Jul 2025

    4116 Impressions

    20 Retweets

    69 Likes

    35 Bookmarks

    1 Reply

    0 Quotes

  9. Top 5 Trending CVEs: 1 - CVE-2023-20867 2 - CVE-2024-29745 3 - CVE-2025-5777 4 - CVE-2025-49826 5 - CVE-2023-52927 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    6 Jul 2025

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Critical NextJS vulnerability (CVE-2025-49826) allows cache poisoning leading to DoS attacks. Affected versions: 15.1.0-15.1.8. Update to 15.1.8+ immediately! Link: https://t.co/nchw4Fbm8l #Security #Vulnerability #Update #NextJS #Cache #Poisoning #Attack #DoS #Software #Patch

    @dailytechonx

    5 Jul 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. ⚡️The vulnerability details are now available: https://t.co/cyR5erFxXF 🚨🚨CVE-2025-49826 hits Next.js with a nasty cache poisoning bug! This flaw lets attackers trigger a DoS by caching HTTP 204 responses for static pages, serving blank responses to ALL users. Search

    @zoomeye_team

    5 Jul 2025

    600 Impressions

    0 Retweets

    7 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  12. 🔴 NextJS, Denial of Service (DoS) via Cache Poisoning, #CVE-2025-49826 (High Severity) https://t.co/9kagwFwssk

    @dailycve

    5 Jul 2025

    47 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  13. Next.jsに深刻な脆弱性(CVE-2025-49826)が発見された。攻撃者が意図的にHTTP 204の空のレスポンスをキャッシュに注入することで以降そのページにアクセスする全ユーザーに空白ページが返され続けるDoS攻撃につ

    @yousukezan

    5 Jul 2025

    1284 Impressions

    3 Retweets

    19 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  14. back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826 both routers are impacted: app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN pages router: SSR pages only + requires a misconfigured CDN

    @inzo____

    4 Jul 2025

    8193 Impressions

    16 Retweets

    160 Likes

    52 Bookmarks

    3 Replies

    0 Quotes

  15. CVE-2025-49826: DoS in Next.js, 7.5 rating❗️ A vulnerability in some versions of the Next.js framework allows attackers to perform cache poisoning, leading to a DoS. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/0tGXhfN3ou #cybersecurity #vulnerability_map htt

    @Netlas_io

    4 Jul 2025

    43 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  16. CVE-2025-49826 Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of S… https://t.co/36mECxIvAK

    @CVEnew

    3 Jul 2025

    677 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS).This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1.CVE-2025-13984
  2. A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.CVE-2025-59472
  3. A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications.CVE-2025-59471
  4. It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.CVE-2025-67779
  5. An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. A specifically crafted HTTP request sent to a vulnerable Server Function may unsafely return the source code of any Server Function. Exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.CVE-2025-55183

References

Sources include official advisories and independent security research.