Bug 2366366 (CVE-2025-32421) - CVE-2025-32421 next.js: Next.js Race Condition to Cache Poisoning
Summary: CVE-2025-32421 next.js: Next.js Race Condition to Cache Poisoning
Keywords:
Status: NEW
Alias: CVE-2025-32421
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2366396 2366398 2366400 2366402 2366393 2366394 2366395 2366397 2366399 2366401
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-14 23:01 UTC by OSIDB Bzimport
Modified: 2025-05-28 15:44 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-05-14 23:01:08 UTC 
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve `pageProps` data instead of standard HTML. This issue was patched in versions 15.1.6 and 14.2.24 by stripping the `x-now-route-matches` header from incoming requests. Applications hosted on Vercel's platform are not affected by this issue, as the platform does not cache responses based solely on `200 OK` status without explicit `cache-control` headers. Those who self-host Next.js deployments and are unable to upgrade immediately can mitigate this vulnerability by stripping the `x-now-route-matches` header from all incoming requests at the content development network and setting `cache-control: no-store` for all responses under risk. The maintainers of Next.js strongly recommend only caching responses with explicit cache-control headers.
Note You need to log in before you can comment on or make changes to this bug.