Bug 2376222 (CVE-2025-49005)

Summary: CVE-2025-49005 nextjs: Next.js cache poisoning
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bbrownin, caswilli, chfoley, gotiwari, jhorak, kaycoth, lball, mvyas, ngough, swoodman, tpopela, veshanka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A cache poisoning flaw has been discovered in Next.js. This flaw can allow page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2376246, 2376247, 2376237, 2376238, 2376239, 2376240, 2376241, 2376242, 2376243, 2376244, 2376245    
Bug Blocks:    

Description OSIDB Bzimport 2025-07-03 22:01:17 UTC 
Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.