CVE-2025-49826

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-49826
Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93
https://github.com/vercel/next.js/releases/tag/v15.1.8
https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r
https://vercel.com/changelog/cve-2025-49826
Configurations

No configuration.

History

08 Jul 2025, 16:19

Type Values Removed Values Added
Summary
  • (es) Next.js es un framework React para crear aplicaciones web full-stack. Desde la versión 15.0.4-canary.51 hasta la versión anterior a la 15.1.8, se detectó un error de envenenamiento de caché que provocaba una condición de denegación de servicio (DoS) en Next.js. Este problema no afecta a los clientes alojados en Vercel. En ciertas circunstancias, este problema puede permitir que se almacene en caché una respuesta HTTP 204 para páginas estáticas, lo que hace que la respuesta 204 se muestre a todos los usuarios que intentan acceder a la página. Este problema se ha solucionado en la versión 15.1.8.

03 Jul 2025, 22:15

Type Values Removed Values Added
Summary (en) Next.js is a React framework for building full-stack web applications. From versions 15.1.0 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8. (en) Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8.

03 Jul 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-03 21:15

Updated : 2025-07-08 16:19

NVD link : CVE-2025-49826

Mitre link : CVE-2025-49826

CVE.ORG link : CVE-2025-49826

JSON object : View

Products Affected

No product.

CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')