2376222 – (CVE-2025-49005) CVE-2025-49005 nextjs: Next.js cache poisoning

Bug 2376222 (CVE-2025-49005) - CVE-2025-49005 nextjs: Next.js cache poisoning

Summary: CVE-2025-49005 nextjs: Next.js cache poisoning

Keywords:
Status:	NEW
Alias:	CVE-2025-49005
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2376237 2376238 2376239 2376240 2376241 2376242 2376243 2376244 2376245 2376246 2376247
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-03 22:01 UTC by OSIDB Bzimport
Modified:	2025-07-03 23:11 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-03 22:01:17 UTC

Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3.

Note You need to log in before you can comment on or make changes to this bug.